Hello,
On 10/17/07 11:25, Julien BLACHE wrote:
Nico Golde <[EMAIL PROTECTED]> wrote:
Hi,
CVE-2007-5469[0]:
| OpenSER 1.2.2 does not verify the Digest authentication header URI
| against the Request URI in SIP messages, which allows remote attackers
| to use sniffed Digest authentication credentials to call arbitrary
| telephone numbers or spoof caller ID (aka "toll fraud and
| authentication forward attack").
I can dig up the patch mentionned on full-disclosure, but it's only
one part of the solution. The user needs to add the required logic in
its config to actually "fix" the problem.
Also it's not clear yet whether this also applies to OpenSER < 1.2,
though the post on full-disclosure seems to imply that all versions
prior to SVN 20071004 are affected.
Practically, the check can be done in all versions of openser>=1.0.0,
but a bit more complex. The update in the SVN just eases the check, by
making the digest URI directly available via a pseudo-variable.
The solution for older versions is:
- write the body if Authorization/Proxy-Authorization header in an AVP
via avp_printf()
- do an avp_subst() and substract the value of the digest URI in another AVP
- use avp_check() to check it against R-URI
The solution of letting the check in config file is to give more liberty
in performing it. Imagine that the proxies are behind a load balancer,
and the R-URI is changed by the LB, in that case all auth will fail. The
admin can add the initial R-URI in a special header at LB and in the
proxy compare that value with the digest URI. Embedding this check in
auth modules seemed too rigid.
Cheers,
Daniel
JB.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]