FreeBSD: VID-C0B13887-BE44-11E6-B04F-001999F8D30B: asterisk -- Authentication Bypass

The Asterisk project reports:

The chan_sip channel driver has a liberal definition

for whitespace when attempting to strip the content between

a SIP header name and a colon character. Rather than

following RFC 3261 and stripping only spaces and horizontal

tabs, Asterisk treats any non-printable ASCII character

as if it were whitespace.

This mostly does not pose a problem until Asterisk is

placed in tandem with an authenticating SIP proxy. In

such a case, a crafty combination of valid and invalid

To headers can cause a proxy to allow an INVITE request

into Asterisk without authentication since it believes

the request is an in-dialog request. However, because of

the bug described above, the request will look like an

out-of-dialog request to Asterisk. Asterisk will then

process the request as a new call. The result is that

Asterisk can process calls from unvetted sources without

any authentication.

If you do not use a proxy for authentication, then

this issue does not affect you.

If your proxy is dialog-aware (meaning that the proxy

keeps track of what dialogs are currently valid), then

this issue does not affect you.

If you use chan_pjsip instead of chan_sip, then this

issue does not affect you.