Debian Bug report logs - #446956
CVE-2007-5469 toll fraud and authentication forward attack

version graph

Package: openser; Maintainer for openser is (unknown);

Reported by: Nico Golde <nion@debian.org>

Date: Tue, 16 Oct 2007 21:45:02 UTC

Severity: normal

Tags: security

Found in version openser/1.1.0-9etch1

Fixed in version openser/1.3.0-1

Done: Julien BLACHE <jblache@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#446956; Package openser. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: CVE-2007-5469 toll fraud and authentication forward attack
Date: Tue, 16 Oct 2007 23:42:27 +0200
[Message part 1 (text/plain, inline)]
Package: openser
Version: 1.1.0-9etch1
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openser.

CVE-2007-5469[0]:
| OpenSER 1.2.2 does not verify the Digest authentication header URI
| against the Request URI in SIP messages, which allows remote attackers
| to use sniffed Digest authentication credentials to call arbitrary
| telephone numbers or spoof caller ID (aka "toll fraud and
| authentication forward attack").

If you fix this vulnerability please also include the CVE id
in your changelog entry.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5469

Kind regards
Nico

-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#446956; Package openser. (full text, mbox, link).


Acknowledgement sent to Julien BLACHE <jblache@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #10 received at 446956@bugs.debian.org (full text, mbox, reply):

From: Julien BLACHE <jblache@debian.org>
To: Nico Golde <nion@debian.org>
Cc: 446956@bugs.debian.org
Subject: Re: Bug#446956: CVE-2007-5469 toll fraud and authentication forward attack
Date: Wed, 17 Oct 2007 10:25:19 +0200
Nico Golde <nion@debian.org> wrote:

Hi,

> CVE-2007-5469[0]:
> | OpenSER 1.2.2 does not verify the Digest authentication header URI
> | against the Request URI in SIP messages, which allows remote attackers
> | to use sniffed Digest authentication credentials to call arbitrary
> | telephone numbers or spoof caller ID (aka "toll fraud and
> | authentication forward attack").

I can dig up the patch mentionned on full-disclosure, but it's only
one part of the solution. The user needs to add the required logic in
its config to actually "fix" the problem.

Also it's not clear yet whether this also applies to OpenSER < 1.2,
though the post on full-disclosure seems to imply that all versions
prior to SVN 20071004 are affected.

JB.

-- 
 Julien BLACHE - Debian & GNU/Linux Developer - <jblache@debian.org> 
 
 Public key available on <http://www.jblache.org> - KeyID: F5D6 5169 
 GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169 




Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#446956; Package openser. (full text, mbox, link).


Acknowledgement sent to daniel@voice-system.ro:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #15 received at 446956@bugs.debian.org (full text, mbox, reply):

From: Daniel-Constantin Mierla <daniel@voice-system.ro>
To: Julien BLACHE <jblache@debian.org>, 446956@bugs.debian.org
Cc: Nico Golde <nion@debian.org>
Subject: Re: Bug#446956: CVE-2007-5469 toll fraud and authentication forward attack
Date: Wed, 17 Oct 2007 12:19:09 +0300
Hello,

On 10/17/07 11:25, Julien BLACHE wrote:
> Nico Golde <nion@debian.org> wrote:
>
> Hi,
>
>   
>> CVE-2007-5469[0]:
>> | OpenSER 1.2.2 does not verify the Digest authentication header URI
>> | against the Request URI in SIP messages, which allows remote attackers
>> | to use sniffed Digest authentication credentials to call arbitrary
>> | telephone numbers or spoof caller ID (aka "toll fraud and
>> | authentication forward attack").
>>     
>
> I can dig up the patch mentionned on full-disclosure, but it's only
> one part of the solution. The user needs to add the required logic in
> its config to actually "fix" the problem.
>
> Also it's not clear yet whether this also applies to OpenSER < 1.2,
> though the post on full-disclosure seems to imply that all versions
> prior to SVN 20071004 are affected.
>   
Practically, the check can be done in all versions of openser>=1.0.0, 
but a bit more complex. The update in the SVN just eases the check, by 
making the digest URI directly available via a pseudo-variable.

The solution for older versions is:

- write the body if Authorization/Proxy-Authorization header in an AVP 
via avp_printf()
- do an avp_subst() and substract the value of the digest URI in another AVP
- use avp_check() to check it against R-URI

The solution of letting the check in config file is to give more liberty 
in performing it. Imagine that the proxies are behind a load balancer, 
and the R-URI is changed by the LB, in that case all auth will fail. The 
admin can add the initial R-URI in a special header at LB and in the 
proxy compare that value with the digest URI. Embedding this check in 
auth modules seemed too rigid.

Cheers,
Daniel

> JB.
>
>   




Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#446956; Package openser. (full text, mbox, link).


Acknowledgement sent to Julien BLACHE <jblache@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #20 received at 446956@bugs.debian.org (full text, mbox, reply):

From: Julien BLACHE <jblache@debian.org>
To: daniel@voice-system.ro
Cc: 446956@bugs.debian.org, Nico Golde <nion@debian.org>
Subject: Re: Bug#446956: CVE-2007-5469 toll fraud and authentication forward attack
Date: Wed, 17 Oct 2007 11:33:56 +0200
Daniel-Constantin Mierla <daniel@voice-system.ro> wrote:

Hi,

> Practically, the check can be done in all versions of openser>=1.0.0,
> but a bit more complex. The update in the SVN just eases the check, by
> making the digest URI directly available via a pseudo-variable.

That's what I thought too...

> The solution of letting the check in config file is to give more
> liberty in performing it. Imagine that the proxies are behind a load
> balancer, and the R-URI is changed by the LB, in that case all auth
> will fail. The admin can add the initial R-URI in a special header at
> LB and in the proxy compare that value with the digest URI. Embedding
> this check in auth modules seemed too rigid.

Indeed.

I think someone's been a bit too trigger-happy with the CVE
assignment. I'll upload packages patched with SVN rev 2852 if the
security team feels it's necessary, otherwise I'm perfectly happy with
just closing that bug report.

JB.

-- 
 Julien BLACHE <jblache@debian.org>  |  Debian, because code matters more 
 Debian & GNU/Linux Developer        |       <http://www.debian.org>
 Public key available on <http://www.jblache.org> - KeyID: F5D6 5169 
 GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169 




Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#446956; Package openser. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #25 received at 446956@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: Julien BLACHE <jblache@debian.org>, 446956@bugs.debian.org
Cc: daniel@voice-system.ro
Subject: Re: Bug#446956: CVE-2007-5469 toll fraud and authentication forward attack
Date: Wed, 17 Oct 2007 20:53:30 +0200
[Message part 1 (text/plain, inline)]
Hi Julien,
* Julien BLACHE <jblache@debian.org> [2007-10-17 20:13]:
> Daniel-Constantin Mierla <daniel@voice-system.ro> wrote:
[...] 
> > The solution of letting the check in config file is to give more
> > liberty in performing it. Imagine that the proxies are behind a load
> > balancer, and the R-URI is changed by the LB, in that case all auth
> > will fail. The admin can add the initial R-URI in a special header at
> > LB and in the proxy compare that value with the digest URI. Embedding
> > this check in auth modules seemed too rigid.
> 
> Indeed.
> 
> I think someone's been a bit too trigger-happy with the CVE
> assignment. I'll upload packages patched with SVN rev 2852 if the
> security team feels it's necessary, otherwise I'm perfectly happy with
> just closing that bug report.

This was marked as a security flaw with low impact in the 
security tracker by me. So this is no "please upload as fast 
as possible" bug but I think the patch won't hurt.
Kind regards
Nico
-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#446956; Package openser. (full text, mbox, link).


Acknowledgement sent to Julien BLACHE <jblache@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #30 received at 446956@bugs.debian.org (full text, mbox, reply):

From: Julien BLACHE <jblache@debian.org>
To: Nico Golde <nion@debian.org>
Cc: 446956@bugs.debian.org, daniel@voice-system.ro
Subject: Re: Bug#446956: CVE-2007-5469 toll fraud and authentication forward attack
Date: Wed, 17 Oct 2007 21:44:41 +0200
Nico Golde <nion@debian.org> wrote:

Hi,

> This was marked as a security flaw with low impact in the 
> security tracker by me. So this is no "please upload as fast 
> as possible" bug but I think the patch won't hurt.

The patch doesn't fix anything but makes it easier to do the check in
its simplest form in the config file.

This is not a vulnerability, it's not even a flaw because having the
two URIs mismatch is allowed by the standard and happens in some
setups for valid reasons.

There's no hole in OpenSER itself; depending on the user setup,
checking the URIs can be required or not, so it's entirely a config
issue from there on.

I don't consider this a security issue as far as Debian is concerned
and I recommend not issuing a DSA for this. I feel issuing a DSA for
this issue could potentially mislead our users, letting them think the
update handles the problem when it doesn't.

So if you agree with this, I'm just going to leave this bug open and
I'll close it with the OpenSER 1.3 upload in december.

JB.

-- 
 Julien BLACHE <jblache@debian.org>  |  Debian, because code matters more 
 Debian & GNU/Linux Developer        |       <http://www.debian.org>
 Public key available on <http://www.jblache.org> - KeyID: F5D6 5169 
 GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169 




Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#446956; Package openser. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #35 received at 446956@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: Julien BLACHE <jblache@debian.org>
Cc: 446956@bugs.debian.org, daniel@voice-system.ro
Subject: Re: Bug#446956: CVE-2007-5469 toll fraud and authentication forward attack
Date: Wed, 17 Oct 2007 21:56:55 +0200
[Message part 1 (text/plain, inline)]
Hi Julien,
* Julien BLACHE <jblache@debian.org> [2007-10-17 21:48]:
> Nico Golde <nion@debian.org> wrote:
> > This was marked as a security flaw with low impact in the 
> > security tracker by me. So this is no "please upload as fast 
> > as possible" bug but I think the patch won't hurt.
> 
> The patch doesn't fix anything but makes it easier to do the check in
> its simplest form in the config file.
> 
> This is not a vulnerability, it's not even a flaw because having the
> two URIs mismatch is allowed by the standard and happens in some
> setups for valid reasons.

Ok.

> There's no hole in OpenSER itself; depending on the user setup,
> checking the URIs can be required or not, so it's entirely a config
> issue from there on.

Ok sounds plausible.

> I don't consider this a security issue as far as Debian is concerned
> and I recommend not issuing a DSA for this. I feel issuing a DSA for
> this issue could potentially mislead our users, letting them think the
> update handles the problem when it doesn't.
> 
> So if you agree with this, I'm just going to leave this bug open and
> I'll close it with the OpenSER 1.3 upload in december.

Ok, I marked it as unimportant and downgraded this bug.
Thanks for your efforts!
Cheers
Nico
-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Severity set to `normal' from `important' Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Wed, 17 Oct 2007 20:03:06 GMT) (full text, mbox, link).


Reply sent to Julien BLACHE <jblache@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. (full text, mbox, link).


Message #42 received at 446956-close@bugs.debian.org (full text, mbox, reply):

From: Julien BLACHE <jblache@debian.org>
To: 446956-close@bugs.debian.org
Subject: Bug#446956: fixed in openser 1.3.0-1
Date: Mon, 17 Dec 2007 15:07:18 +0000
Source: openser
Source-Version: 1.3.0-1

We believe that the bug you reported is fixed in the latest version of
openser, which is due to be installed in the Debian FTP archive:

openser-berkeley-module_1.3.0-1_amd64.deb
  to pool/main/o/openser/openser-berkeley-module_1.3.0-1_amd64.deb
openser-carrierroute-module_1.3.0-1_amd64.deb
  to pool/main/o/openser/openser-carrierroute-module_1.3.0-1_amd64.deb
openser-cpl-module_1.3.0-1_amd64.deb
  to pool/main/o/openser/openser-cpl-module_1.3.0-1_amd64.deb
openser-dbg_1.3.0-1_amd64.deb
  to pool/main/o/openser/openser-dbg_1.3.0-1_amd64.deb
openser-jabber-module_1.3.0-1_amd64.deb
  to pool/main/o/openser/openser-jabber-module_1.3.0-1_amd64.deb
openser-ldap-modules_1.3.0-1_amd64.deb
  to pool/main/o/openser/openser-ldap-modules_1.3.0-1_amd64.deb
openser-mysql-module_1.3.0-1_amd64.deb
  to pool/main/o/openser/openser-mysql-module_1.3.0-1_amd64.deb
openser-perl-modules_1.3.0-1_amd64.deb
  to pool/main/o/openser/openser-perl-modules_1.3.0-1_amd64.deb
openser-postgres-module_1.3.0-1_amd64.deb
  to pool/main/o/openser/openser-postgres-module_1.3.0-1_amd64.deb
openser-presence-modules_1.3.0-1_amd64.deb
  to pool/main/o/openser/openser-presence-modules_1.3.0-1_amd64.deb
openser-radius-modules_1.3.0-1_amd64.deb
  to pool/main/o/openser/openser-radius-modules_1.3.0-1_amd64.deb
openser-snmpstats-module_1.3.0-1_amd64.deb
  to pool/main/o/openser/openser-snmpstats-module_1.3.0-1_amd64.deb
openser-unixodbc-module_1.3.0-1_amd64.deb
  to pool/main/o/openser/openser-unixodbc-module_1.3.0-1_amd64.deb
openser-xmlrpc-module_1.3.0-1_amd64.deb
  to pool/main/o/openser/openser-xmlrpc-module_1.3.0-1_amd64.deb
openser-xmpp-module_1.3.0-1_amd64.deb
  to pool/main/o/openser/openser-xmpp-module_1.3.0-1_amd64.deb
openser_1.3.0-1.diff.gz
  to pool/main/o/openser/openser_1.3.0-1.diff.gz
openser_1.3.0-1.dsc
  to pool/main/o/openser/openser_1.3.0-1.dsc
openser_1.3.0-1_amd64.deb
  to pool/main/o/openser/openser_1.3.0-1_amd64.deb
openser_1.3.0.orig.tar.gz
  to pool/main/o/openser/openser_1.3.0.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 446956@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julien BLACHE <jblache@debian.org> (supplier of updated openser package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 13 Dec 2007 17:47:34 +0100
Source: openser
Binary: openser-xmlrpc-module openser-perl-modules openser-berkeley-module openser-presence-modules openser-mysql-module openser-unixodbc-module openser openser-snmpstats-module openser-ldap-modules openser-jabber-module openser-cpl-module openser-carrierroute-module openser-postgres-module openser-dbg openser-xmpp-module openser-radius-modules
Architecture: source amd64
Version: 1.3.0-1
Distribution: experimental
Urgency: low
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Julien BLACHE <jblache@debian.org>
Description: 
 openser    - very fast and configurable SIP proxy
 openser-berkeley-module - Berkeley Database module for OpenSER
 openser-carrierroute-module - Carrierroute module for OpenSER
 openser-cpl-module - CPL module (CPL interpreter engine) for OpenSER
 openser-dbg - very fast and configurable SIP proxy [debug symbols]
 openser-jabber-module - Jabber gateway module for OpenSER
 openser-ldap-modules - LDAP modules for OpenSER
 openser-mysql-module - MySQL database connectivity module for OpenSER
 openser-perl-modules - Perl extensions and database driver for OpenSER
 openser-postgres-module - PostgreSQL database connectivity module for OpenSER
 openser-presence-modules - SIMPLE presence modules for OpenSER
 openser-radius-modules - radius modules for OpenSER
 openser-snmpstats-module - SNMP AgentX subagent module for OpenSER
 openser-unixodbc-module - unixODBC database connectivity module for OpenSER
 openser-xmlrpc-module - XMLRPC support for OpenSER's Management Interface
 openser-xmpp-module - XMPP gateway module for OpenSER
Closes: 446956
Changes: 
 openser (1.3.0-1) experimental; urgency=low
 .
   * New upstream release.
     + Adds new variable $adu to make it easier to check the auth digest URI
       matches the To/R-URI; in response to CVE-2007-5469 (closes: #446956).
   * debian/control:
     + Add build-dependency on libcurl4-gnutls-dev.
   * debian/rules:
     + Add the xcap_client module in openser-presence-modules.
Files: 
 4c1b2ac8362cf54928a4132305b14eda 1454 net optional openser_1.3.0-1.dsc
 e380fa73095274162fac129e16d7c7d8 3405325 net optional openser_1.3.0.orig.tar.gz
 a63fa9de23238c28ed06bf1953f59976 13067 net optional openser_1.3.0-1.diff.gz
 cacb8c6794f574765e42d84ad322a0cb 1516858 net optional openser_1.3.0-1_amd64.deb
 a1e4ddaaa5396b0b0e03912a1f521579 4230004 net extra openser-dbg_1.3.0-1_amd64.deb
 3b13292f8cdd232594ef0c0c4b716321 32962 net optional openser-mysql-module_1.3.0-1_amd64.deb
 d18f7aa92527aca9950d0b5f9dc77c0a 38708 net optional openser-postgres-module_1.3.0-1_amd64.deb
 36f1ab9690283e3fbc11e2ce4243ee13 78278 net optional openser-jabber-module_1.3.0-1_amd64.deb
 ef4a4e77f302229c670f14c01a0784ab 97686 net optional openser-cpl-module_1.3.0-1_amd64.deb
 eb4934a2f32f6cb05402a3e05ca61197 38136 net optional openser-radius-modules_1.3.0-1_amd64.deb
 cab286c54f84b8b7a0255745bdd25f1b 25230 net optional openser-unixodbc-module_1.3.0-1_amd64.deb
 b78d8d7ad420704073beee536515d9b6 210484 net optional openser-presence-modules_1.3.0-1_amd64.deb
 7f24818fe61af8d8c77ce10239a5ec23 53732 net optional openser-xmlrpc-module_1.3.0-1_amd64.deb
 76ed47b49422f2b6e018a10e58ad0f93 74124 net optional openser-perl-modules_1.3.0-1_amd64.deb
 6160d3871c1aed2f1914903b763a78ca 65232 net optional openser-snmpstats-module_1.3.0-1_amd64.deb
 db5a17b2df6c0da47f4bf47979bf14ff 44692 net optional openser-xmpp-module_1.3.0-1_amd64.deb
 46228b118e3f27e1bfe129c1ceaf8efc 53552 net optional openser-carrierroute-module_1.3.0-1_amd64.deb
 5d6286624a8f895ac8a4a4ab99268cbb 60256 net optional openser-berkeley-module_1.3.0-1_amd64.deb
 5dce6fdd73e8f32b6421b0e94281a256 50384 net optional openser-ldap-modules_1.3.0-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHYWP7zWFP1/XWUWkRAtlcAJ4/a5z6I1OIA2PHEopyqjemBdew0QCghQJX
6b9eXPvnrIom6j2peV8inQg=
=UlFS
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 15 Jan 2008 07:35:44 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 11:22:03 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.