Report forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>: Bug#446956; Package openser.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Package: openser
Version: 1.1.0-9etch1
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openser.
CVE-2007-5469[0]:
| OpenSER 1.2.2 does not verify the Digest authentication header URI
| against the Request URI in SIP messages, which allows remote attackers
| to use sniffed Digest authentication credentials to call arbitrary
| telephone numbers or spoof caller ID (aka "toll fraud and
| authentication forward attack").
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5469
Kind regards
Nico
--
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>: Bug#446956; Package openser.
(full text, mbox, link).
Acknowledgement sent to Julien BLACHE <jblache@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Subject: Re: Bug#446956: CVE-2007-5469 toll fraud and authentication forward attack
Date: Wed, 17 Oct 2007 10:25:19 +0200
Nico Golde <nion@debian.org> wrote:
Hi,
> CVE-2007-5469[0]:
> | OpenSER 1.2.2 does not verify the Digest authentication header URI
> | against the Request URI in SIP messages, which allows remote attackers
> | to use sniffed Digest authentication credentials to call arbitrary
> | telephone numbers or spoof caller ID (aka "toll fraud and
> | authentication forward attack").
I can dig up the patch mentionned on full-disclosure, but it's only
one part of the solution. The user needs to add the required logic in
its config to actually "fix" the problem.
Also it's not clear yet whether this also applies to OpenSER < 1.2,
though the post on full-disclosure seems to imply that all versions
prior to SVN 20071004 are affected.
JB.
--
Julien BLACHE - Debian & GNU/Linux Developer - <jblache@debian.org>
Public key available on <http://www.jblache.org> - KeyID: F5D6 5169
GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169
Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>: Bug#446956; Package openser.
(full text, mbox, link).
Acknowledgement sent to daniel@voice-system.ro:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
To: Julien BLACHE <jblache@debian.org>, 446956@bugs.debian.org
Cc: Nico Golde <nion@debian.org>
Subject: Re: Bug#446956: CVE-2007-5469 toll fraud and authentication forward
attack
Date: Wed, 17 Oct 2007 12:19:09 +0300
Hello,
On 10/17/07 11:25, Julien BLACHE wrote:
> Nico Golde <nion@debian.org> wrote:
>
> Hi,
>
>
>> CVE-2007-5469[0]:
>> | OpenSER 1.2.2 does not verify the Digest authentication header URI
>> | against the Request URI in SIP messages, which allows remote attackers
>> | to use sniffed Digest authentication credentials to call arbitrary
>> | telephone numbers or spoof caller ID (aka "toll fraud and
>> | authentication forward attack").
>>
>
> I can dig up the patch mentionned on full-disclosure, but it's only
> one part of the solution. The user needs to add the required logic in
> its config to actually "fix" the problem.
>
> Also it's not clear yet whether this also applies to OpenSER < 1.2,
> though the post on full-disclosure seems to imply that all versions
> prior to SVN 20071004 are affected.
>
Practically, the check can be done in all versions of openser>=1.0.0,
but a bit more complex. The update in the SVN just eases the check, by
making the digest URI directly available via a pseudo-variable.
The solution for older versions is:
- write the body if Authorization/Proxy-Authorization header in an AVP
via avp_printf()
- do an avp_subst() and substract the value of the digest URI in another AVP
- use avp_check() to check it against R-URI
The solution of letting the check in config file is to give more liberty
in performing it. Imagine that the proxies are behind a load balancer,
and the R-URI is changed by the LB, in that case all auth will fail. The
admin can add the initial R-URI in a special header at LB and in the
proxy compare that value with the digest URI. Embedding this check in
auth modules seemed too rigid.
Cheers,
Daniel
> JB.
>
>
Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>: Bug#446956; Package openser.
(full text, mbox, link).
Acknowledgement sent to Julien BLACHE <jblache@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Subject: Re: Bug#446956: CVE-2007-5469 toll fraud and authentication forward attack
Date: Wed, 17 Oct 2007 11:33:56 +0200
Daniel-Constantin Mierla <daniel@voice-system.ro> wrote:
Hi,
> Practically, the check can be done in all versions of openser>=1.0.0,
> but a bit more complex. The update in the SVN just eases the check, by
> making the digest URI directly available via a pseudo-variable.
That's what I thought too...
> The solution of letting the check in config file is to give more
> liberty in performing it. Imagine that the proxies are behind a load
> balancer, and the R-URI is changed by the LB, in that case all auth
> will fail. The admin can add the initial R-URI in a special header at
> LB and in the proxy compare that value with the digest URI. Embedding
> this check in auth modules seemed too rigid.
Indeed.
I think someone's been a bit too trigger-happy with the CVE
assignment. I'll upload packages patched with SVN rev 2852 if the
security team feels it's necessary, otherwise I'm perfectly happy with
just closing that bug report.
JB.
--
Julien BLACHE <jblache@debian.org> | Debian, because code matters more
Debian & GNU/Linux Developer | <http://www.debian.org>
Public key available on <http://www.jblache.org> - KeyID: F5D6 5169
GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169
Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>: Bug#446956; Package openser.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Hi Julien,
* Julien BLACHE <jblache@debian.org> [2007-10-17 20:13]:
> Daniel-Constantin Mierla <daniel@voice-system.ro> wrote:
[...]
> > The solution of letting the check in config file is to give more
> > liberty in performing it. Imagine that the proxies are behind a load
> > balancer, and the R-URI is changed by the LB, in that case all auth
> > will fail. The admin can add the initial R-URI in a special header at
> > LB and in the proxy compare that value with the digest URI. Embedding
> > this check in auth modules seemed too rigid.
>
> Indeed.
>
> I think someone's been a bit too trigger-happy with the CVE
> assignment. I'll upload packages patched with SVN rev 2852 if the
> security team feels it's necessary, otherwise I'm perfectly happy with
> just closing that bug report.
This was marked as a security flaw with low impact in the
security tracker by me. So this is no "please upload as fast
as possible" bug but I think the patch won't hurt.
Kind regards
Nico
--
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>: Bug#446956; Package openser.
(full text, mbox, link).
Acknowledgement sent to Julien BLACHE <jblache@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Subject: Re: Bug#446956: CVE-2007-5469 toll fraud and authentication forward attack
Date: Wed, 17 Oct 2007 21:44:41 +0200
Nico Golde <nion@debian.org> wrote:
Hi,
> This was marked as a security flaw with low impact in the
> security tracker by me. So this is no "please upload as fast
> as possible" bug but I think the patch won't hurt.
The patch doesn't fix anything but makes it easier to do the check in
its simplest form in the config file.
This is not a vulnerability, it's not even a flaw because having the
two URIs mismatch is allowed by the standard and happens in some
setups for valid reasons.
There's no hole in OpenSER itself; depending on the user setup,
checking the URIs can be required or not, so it's entirely a config
issue from there on.
I don't consider this a security issue as far as Debian is concerned
and I recommend not issuing a DSA for this. I feel issuing a DSA for
this issue could potentially mislead our users, letting them think the
update handles the problem when it doesn't.
So if you agree with this, I'm just going to leave this bug open and
I'll close it with the OpenSER 1.3 upload in december.
JB.
--
Julien BLACHE <jblache@debian.org> | Debian, because code matters more
Debian & GNU/Linux Developer | <http://www.debian.org>
Public key available on <http://www.jblache.org> - KeyID: F5D6 5169
GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169
Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>: Bug#446956; Package openser.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Hi Julien,
* Julien BLACHE <jblache@debian.org> [2007-10-17 21:48]:
> Nico Golde <nion@debian.org> wrote:
> > This was marked as a security flaw with low impact in the
> > security tracker by me. So this is no "please upload as fast
> > as possible" bug but I think the patch won't hurt.
>
> The patch doesn't fix anything but makes it easier to do the check in
> its simplest form in the config file.
>
> This is not a vulnerability, it's not even a flaw because having the
> two URIs mismatch is allowed by the standard and happens in some
> setups for valid reasons.
Ok.
> There's no hole in OpenSER itself; depending on the user setup,
> checking the URIs can be required or not, so it's entirely a config
> issue from there on.
Ok sounds plausible.
> I don't consider this a security issue as far as Debian is concerned
> and I recommend not issuing a DSA for this. I feel issuing a DSA for
> this issue could potentially mislead our users, letting them think the
> update handles the problem when it doesn't.
>
> So if you agree with this, I'm just going to leave this bug open and
> I'll close it with the OpenSER 1.3 upload in december.
Ok, I marked it as unimportant and downgraded this bug.
Thanks for your efforts!
Cheers
Nico
--
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Severity set to `normal' from `important'
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Wed, 17 Oct 2007 20:03:06 GMT) (full text, mbox, link).
Reply sent to Julien BLACHE <jblache@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Source: openser
Source-Version: 1.3.0-1
We believe that the bug you reported is fixed in the latest version of
openser, which is due to be installed in the Debian FTP archive:
openser-berkeley-module_1.3.0-1_amd64.deb
to pool/main/o/openser/openser-berkeley-module_1.3.0-1_amd64.deb
openser-carrierroute-module_1.3.0-1_amd64.deb
to pool/main/o/openser/openser-carrierroute-module_1.3.0-1_amd64.deb
openser-cpl-module_1.3.0-1_amd64.deb
to pool/main/o/openser/openser-cpl-module_1.3.0-1_amd64.deb
openser-dbg_1.3.0-1_amd64.deb
to pool/main/o/openser/openser-dbg_1.3.0-1_amd64.deb
openser-jabber-module_1.3.0-1_amd64.deb
to pool/main/o/openser/openser-jabber-module_1.3.0-1_amd64.deb
openser-ldap-modules_1.3.0-1_amd64.deb
to pool/main/o/openser/openser-ldap-modules_1.3.0-1_amd64.deb
openser-mysql-module_1.3.0-1_amd64.deb
to pool/main/o/openser/openser-mysql-module_1.3.0-1_amd64.deb
openser-perl-modules_1.3.0-1_amd64.deb
to pool/main/o/openser/openser-perl-modules_1.3.0-1_amd64.deb
openser-postgres-module_1.3.0-1_amd64.deb
to pool/main/o/openser/openser-postgres-module_1.3.0-1_amd64.deb
openser-presence-modules_1.3.0-1_amd64.deb
to pool/main/o/openser/openser-presence-modules_1.3.0-1_amd64.deb
openser-radius-modules_1.3.0-1_amd64.deb
to pool/main/o/openser/openser-radius-modules_1.3.0-1_amd64.deb
openser-snmpstats-module_1.3.0-1_amd64.deb
to pool/main/o/openser/openser-snmpstats-module_1.3.0-1_amd64.deb
openser-unixodbc-module_1.3.0-1_amd64.deb
to pool/main/o/openser/openser-unixodbc-module_1.3.0-1_amd64.deb
openser-xmlrpc-module_1.3.0-1_amd64.deb
to pool/main/o/openser/openser-xmlrpc-module_1.3.0-1_amd64.deb
openser-xmpp-module_1.3.0-1_amd64.deb
to pool/main/o/openser/openser-xmpp-module_1.3.0-1_amd64.deb
openser_1.3.0-1.diff.gz
to pool/main/o/openser/openser_1.3.0-1.diff.gz
openser_1.3.0-1.dsc
to pool/main/o/openser/openser_1.3.0-1.dsc
openser_1.3.0-1_amd64.deb
to pool/main/o/openser/openser_1.3.0-1_amd64.deb
openser_1.3.0.orig.tar.gz
to pool/main/o/openser/openser_1.3.0.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 446956@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Julien BLACHE <jblache@debian.org> (supplier of updated openser package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 13 Dec 2007 17:47:34 +0100
Source: openser
Binary: openser-xmlrpc-module openser-perl-modules openser-berkeley-module openser-presence-modules openser-mysql-module openser-unixodbc-module openser openser-snmpstats-module openser-ldap-modules openser-jabber-module openser-cpl-module openser-carrierroute-module openser-postgres-module openser-dbg openser-xmpp-module openser-radius-modules
Architecture: source amd64
Version: 1.3.0-1
Distribution: experimental
Urgency: low
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Julien BLACHE <jblache@debian.org>
Description:
openser - very fast and configurable SIP proxy
openser-berkeley-module - Berkeley Database module for OpenSER
openser-carrierroute-module - Carrierroute module for OpenSER
openser-cpl-module - CPL module (CPL interpreter engine) for OpenSER
openser-dbg - very fast and configurable SIP proxy [debug symbols]
openser-jabber-module - Jabber gateway module for OpenSER
openser-ldap-modules - LDAP modules for OpenSER
openser-mysql-module - MySQL database connectivity module for OpenSER
openser-perl-modules - Perl extensions and database driver for OpenSER
openser-postgres-module - PostgreSQL database connectivity module for OpenSER
openser-presence-modules - SIMPLE presence modules for OpenSER
openser-radius-modules - radius modules for OpenSER
openser-snmpstats-module - SNMP AgentX subagent module for OpenSER
openser-unixodbc-module - unixODBC database connectivity module for OpenSER
openser-xmlrpc-module - XMLRPC support for OpenSER's Management Interface
openser-xmpp-module - XMPP gateway module for OpenSER
Closes: 446956
Changes:
openser (1.3.0-1) experimental; urgency=low
.
* New upstream release.
+ Adds new variable $adu to make it easier to check the auth digest URI
matches the To/R-URI; in response to CVE-2007-5469 (closes: #446956).
* debian/control:
+ Add build-dependency on libcurl4-gnutls-dev.
* debian/rules:
+ Add the xcap_client module in openser-presence-modules.
Files:
4c1b2ac8362cf54928a4132305b14eda 1454 net optional openser_1.3.0-1.dsc
e380fa73095274162fac129e16d7c7d8 3405325 net optional openser_1.3.0.orig.tar.gz
a63fa9de23238c28ed06bf1953f59976 13067 net optional openser_1.3.0-1.diff.gz
cacb8c6794f574765e42d84ad322a0cb 1516858 net optional openser_1.3.0-1_amd64.deb
a1e4ddaaa5396b0b0e03912a1f521579 4230004 net extra openser-dbg_1.3.0-1_amd64.deb
3b13292f8cdd232594ef0c0c4b716321 32962 net optional openser-mysql-module_1.3.0-1_amd64.deb
d18f7aa92527aca9950d0b5f9dc77c0a 38708 net optional openser-postgres-module_1.3.0-1_amd64.deb
36f1ab9690283e3fbc11e2ce4243ee13 78278 net optional openser-jabber-module_1.3.0-1_amd64.deb
ef4a4e77f302229c670f14c01a0784ab 97686 net optional openser-cpl-module_1.3.0-1_amd64.deb
eb4934a2f32f6cb05402a3e05ca61197 38136 net optional openser-radius-modules_1.3.0-1_amd64.deb
cab286c54f84b8b7a0255745bdd25f1b 25230 net optional openser-unixodbc-module_1.3.0-1_amd64.deb
b78d8d7ad420704073beee536515d9b6 210484 net optional openser-presence-modules_1.3.0-1_amd64.deb
7f24818fe61af8d8c77ce10239a5ec23 53732 net optional openser-xmlrpc-module_1.3.0-1_amd64.deb
76ed47b49422f2b6e018a10e58ad0f93 74124 net optional openser-perl-modules_1.3.0-1_amd64.deb
6160d3871c1aed2f1914903b763a78ca 65232 net optional openser-snmpstats-module_1.3.0-1_amd64.deb
db5a17b2df6c0da47f4bf47979bf14ff 44692 net optional openser-xmpp-module_1.3.0-1_amd64.deb
46228b118e3f27e1bfe129c1ceaf8efc 53552 net optional openser-carrierroute-module_1.3.0-1_amd64.deb
5d6286624a8f895ac8a4a4ab99268cbb 60256 net optional openser-berkeley-module_1.3.0-1_amd64.deb
5dce6fdd73e8f32b6421b0e94281a256 50384 net optional openser-ldap-modules_1.3.0-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHYWP7zWFP1/XWUWkRAtlcAJ4/a5z6I1OIA2PHEopyqjemBdew0QCghQJX
6b9eXPvnrIom6j2peV8inQg=
=UlFS
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 15 Jan 2008 07:35:44 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.