CVE-2022-26499
📋 TL;DR
This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Asterisk VoIP software when using STIR/SHAKEN caller ID authentication. Attackers can send arbitrary HTTP requests (like GET) to internal interfaces including localhost by manipulating the Identity header. This affects all Asterisk installations through version 19.x that have STIR/SHAKEN enabled.
💻 Affected Systems
- Asterisk
📦 What is this software?
Asterisk by Digium
Asterisk by Digium
Asterisk by Digium
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access sensitive internal services, perform port scanning, retrieve credentials from metadata services, or pivot to attack other internal systems from the Asterisk server.
Likely Case
Unauthorized access to internal HTTP services, information disclosure from internal APIs, or denial of service by overwhelming internal services with requests.
If Mitigated
Limited to accessing only specific internal services that are reachable from the Asterisk server, with no direct code execution or system compromise.
🎯 Exploit Status
Exploitation requires sending specially crafted SIP messages with malicious Identity headers to Asterisk servers with STIR/SHAKEN enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.25.2, 18.11.2, or 19.3.2
Vendor Advisory: https://downloads.asterisk.org/pub/security/AST-2022-002.html
Restart Required: Yes
Instructions:
1. Identify your Asterisk version. 2. Upgrade to the patched version for your branch: 16.x → 16.25.2, 18.x → 18.11.2, 19.x → 19.3.2. 3. Restart Asterisk service. 4. Verify the patch is applied.
🔧 Temporary Workarounds
Disable STIR/SHAKEN
allTemporarily disable STIR/SHAKEN functionality if not required
Edit Asterisk configuration to remove or comment out STIR/SHAKEN settings in pjsip.conf or relevant config files
Network Segmentation
allRestrict Asterisk server's network access to internal services
Configure firewall rules to limit Asterisk server's outbound connections to only necessary services
🧯 If You Can't Patch
- Disable STIR/SHAKEN functionality completely if caller ID authentication is not required
- Implement strict firewall rules to prevent Asterisk server from accessing sensitive internal services
🔍 How to Verify
Check if Vulnerable:
Check if STIR/SHAKEN is enabled in Asterisk configuration and version is below patched versionsCheck Version:
asterisk -V or asterisk -r 'core show version'Verify Fix Applied:
Verify Asterisk version is 16.25.2, 18.11.2, or 19.3.2 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP requests originating from Asterisk process
- Failed STIR/SHAKEN validations
- Unexpected connections to internal services
Network Indicators:
- SIP traffic with malformed Identity headers
- HTTP requests from Asterisk server to internal services not related to normal operation
SIEM Query:
source="asterisk" AND (event="HTTP request" OR event="STIR/SHAKEN failure" OR message="Identity header")🔗 References
- http://packetstormsecurity.com/files/166745/Asterisk-Project-Security-Advisory-AST-2022-002.html
- https://downloads.asterisk.org/pub/security/
- https://downloads.asterisk.org/pub/security/AST-2022-002.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
- https://www.debian.org/security/2022/dsa-5285
- http://packetstormsecurity.com/files/166745/Asterisk-Project-Security-Advisory-AST-2022-002.html
- https://downloads.asterisk.org/pub/security/
- https://downloads.asterisk.org/pub/security/AST-2022-002.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
- https://www.debian.org/security/2022/dsa-5285
