CVE-2024-35190
📋 TL;DR
Asterisk versions 18.23.0 incorrectly identify all unauthorized SIP requests as coming from the local PJSIP endpoint, potentially allowing unauthorized access to telephony services. This affects Asterisk PBX systems running version 18.23.0 specifically. The vulnerability was introduced during an upgrade and affects authentication mechanisms.
💻 Affected Systems
- Asterisk
📦 What is this software?
Asterisk by Sangoma
Asterisk by Sangoma
Asterisk by Sangoma
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users could make SIP calls, access voicemail, or perform other telephony operations as if they were local endpoints, potentially leading to toll fraud, eavesdropping, or service disruption.
Likely Case
Unauthorized SIP requests being processed incorrectly, potentially allowing limited unauthorized access to telephony features or causing authentication bypass for specific SIP operations.
If Mitigated
With proper network segmentation and SIP authentication controls, impact would be limited to misidentification of unauthorized requests without granting actual access.
🎯 Exploit Status
Exploitation requires sending SIP requests to vulnerable Asterisk instances. The vulnerability is in authentication logic, making exploitation straightforward for attackers familiar with SIP protocols.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 18.23.1, 20.8.1, or 21.3.1
Vendor Advisory: https://github.com/asterisk/asterisk/security/advisories/GHSA-qqxj-v78h-hrf9
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Upgrade to Asterisk 18.23.1, 20.8.1, or 21.3.1 using your distribution's package manager or from source. 3. Restart Asterisk service. 4. Verify SIP authentication is working correctly.
🔧 Temporary Workarounds
Downgrade to previous version
linuxRevert to Asterisk version before 18.23.0
apt-get install asterisk=18.22.0-1
yum downgrade asterisk-18.22.0
Restrict SIP access
linuxImplement network-level restrictions to limit SIP traffic to trusted sources only
iptables -A INPUT -p udp --dport 5060 -s trusted_ip -j ACCEPT
iptables -A INPUT -p udp --dport 5060 -j DROP
🧯 If You Can't Patch
- Implement strict firewall rules to only allow SIP traffic from authorized IP addresses
- Enable detailed SIP authentication logging and monitor for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check Asterisk version: if running exactly 18.23.0, system is vulnerable. Test SIP authentication with unauthorized requests to see if they're incorrectly accepted.Check Version:
asterisk -rx 'core show version'Verify Fix Applied:
After patching, verify Asterisk version shows 18.23.1 or higher. Test that unauthorized SIP requests are properly rejected.📡 Detection & Monitoring
Log Indicators:
- SIP requests from unauthorized sources being processed
- Authentication failures followed by successful requests from same source
- Unusual SIP endpoint registrations
Network Indicators:
- SIP traffic from unexpected sources
- SIP INVITE requests without proper authentication
- Increased SIP traffic volume
SIEM Query:
source="asterisk.log" AND ("authentication failed" AND "request processed") OR ("unauthorized" AND "endpoint")🔗 References
- https://github.com/asterisk/asterisk/commit/85241bd22936cc15760fd1f65d16c98be7aeaf6d
- https://github.com/asterisk/asterisk/pull/600
- https://github.com/asterisk/asterisk/pull/602
- https://github.com/asterisk/asterisk/security/advisories/GHSA-qqxj-v78h-hrf9
- https://github.com/asterisk/asterisk/commit/85241bd22936cc15760fd1f65d16c98be7aeaf6d
- https://github.com/asterisk/asterisk/pull/600
- https://github.com/asterisk/asterisk/pull/602
- https://github.com/asterisk/asterisk/security/advisories/GHSA-qqxj-v78h-hrf9
