CVE-2018-12227

Name of the Vulnerable Software and Affected Versions Asterisk Open Source versions 13.x before 13.21.1 Asterisk Open Source versions 14.x before 14.7.7 Asterisk Open Source versions 15.x before 15.4.1 Certified Asterisk versions 13.18-cert before 13.18-cert4 Certified Asterisk versions 13.21-cert before 13.21-cert2

Description An issue in Asterisk allows disclosure of which requests hit a defined endpoint when endpoint-specific ACL rules block a SIP request. Normally, blocked requests respond with a 403 forbidden. However, if an endpoint is not identified, a 401 unauthorized response is sent instead. This does not allow ACL rules to be bypassed to gain access to the disclosed endpoints.

Recommendations For Asterisk Open Source versions 13.x before 13.21.1, update to version 13.21.1 or later. For Asterisk Open Source versions 14.x before 14.7.7, update to version 14.7.7 or later. For Asterisk Open Source versions 15.x before 15.4.1, update to version 15.4.1 or later. For Certified Asterisk versions 13.18-cert before 13.18-cert4, update to version 13.18-cert4 or later. For Certified Asterisk versions 13.21-cert before 13.21-cert2, update to version 13.21-cert2 or later.