CVE-2009-3723 – CVE-2009-3723 is an access control vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2009-3723?

CVE-2009-3723 has a CVSS score of 7.5 (HIGH). CVE-2009-3723 is an access control vulnerability in Asterisk that allows SIP calls to bypass network restrictions. Attackers can make unauthorized calls through prohibited networks. This affects Asterisk installations with network access controls configured.

📋 TL;DR

CVE-2009-3723 is an access control vulnerability in Asterisk that allows SIP calls to bypass network restrictions. Attackers can make unauthorized calls through prohibited networks. This affects Asterisk installations with network access controls configured.

💻 Affected Systems

Products:

Asterisk
Asterisk Business Edition
AsteriskNOW
TrixBox
FreePBX

Versions: Asterisk 1.4.x before 1.4.29, 1.6.0.x before 1.6.0.12, and Business Edition C.x before C.3.5.2

Operating Systems: Linux, BSD, Solaris, Windows

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when network access controls (permit/deny rules) are configured in sip.conf or iax.conf.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized long-distance or premium-rate calls leading to significant financial loss, toll fraud, and potential data exfiltration through call forwarding.

🟠

Likely Case

Unauthorized local or domestic calls causing moderate financial impact and potential service disruption.

🟢

If Mitigated

Limited impact if proper network segmentation and call cost controls are implemented.

🌐 Internet-Facing: HIGH - Asterisk servers exposed to the internet are directly vulnerable to exploitation.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted SIP packets to bypass network restriction checks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Asterisk 1.4.29, 1.6.0.12, Business Edition C.3.5.2

Vendor Advisory: http://downloads.asterisk.org/pub/security/AST-2009-007.html

Restart Required: Yes

Instructions:

1. Backup configuration files. 2. Upgrade to patched version using package manager or source compilation. 3. Restart Asterisk service. 4. Verify SIP/IAX functionality.

🔧 Temporary Workarounds

Network ACL Enforcement

linux

Implement network-level access controls using firewall rules to restrict SIP/IAX traffic.

iptables -A INPUT -p udp --dport 5060 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p udp --dport 5060 -j DROP

Disable Vulnerable Protocols

linux

Temporarily disable SIP or IAX protocols if not required for operations.

sed -i 's/^\[general\]/[general]\nallowguest=no/' /etc/asterisk/sip.conf
asterisk -rx 'sip reload'

🧯 If You Can't Patch

Implement strict firewall rules to only allow SIP/IAX traffic from trusted networks
Enable detailed call logging and monitoring for unauthorized call patterns

🔍 How to Verify

Check if Vulnerable:

Check Asterisk version: asterisk -rx 'core show version' and compare with affected versions.

Check Version:

asterisk -rx 'core show version' | grep -o 'Asterisk [0-9.]\+'

Verify Fix Applied:

Verify version is 1.4.29+, 1.6.0.12+, or C.3.5.2+. Test SIP calls from prohibited networks should be blocked.

📡 Detection & Monitoring

Log Indicators:

SIP/IAX calls from IP addresses in deny lists
Unexpected call patterns or destinations
Failed authentication attempts followed by successful calls

Network Indicators:

SIP INVITE packets from unauthorized networks
Unusual call volume or destinations

SIEM Query:

source="asterisk.log" ("from: " NOT (192.168.0.0/16 OR 10.0.0.0/8)) AND "INVITE"

📊 Metadata

CVE ID: CVE-2009-3723

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-863

Published: October 29, 2019

Last Updated: November 21, 2024

🔗 References

http://downloads.asterisk.org/pub/security/AST-2009-007.html Vendor Advisory
https://access.redhat.com/security/cve/cve-2009-3723 Broken Link,Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2009-3723 Third Party Advisory
http://downloads.asterisk.org/pub/security/AST-2009-007.html Vendor Advisory
https://access.redhat.com/security/cve/cve-2009-3723 Broken Link,Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2009-3723 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2009-3723, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Asterisk by Sangoma

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network ACL Enforcement

Disable Vulnerable Protocols

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities