Vulnerability: Asterisk PJSIP Endpoint Presence Disclosure CVE-2018-12227


#1

Our router is reporting many many malicious events:


I have searched the web and found this:

CVE-2018-12227: This vulnerability is caused by improper handling of SIP requests to target systems configured with endpoint-specific ACL rules. In general, when the endpoint specified in the SIP request does not exist, Asterisk will return a “401 Unauthorized” response. When the endpoint configures an ACL, if the SIP request does not comply with the ACL rule, it will return a “403 Disabled” response. Unauthorized attackers can use this vulnerability to enumerate existing SIP endpoints and obtain sensitive data that can cause other attacks.

Model: UCM6102 V1.5A, Base 1.0.18.16
I checked the release notes for 1.0.18.17 and I do not see this issue addressed

Is this know to other users out there? Is something Grandstream should be fixing?


#2

There is a notice at firmware.grandstream.com to upgrade due to security issue.


#3

Thanks costwisewpg
I will update the firmware
When I read the release notes I was looking for bug fices, not new features :wink:
The release note says

NEW AMI COMMANDS
• PJSIPShowEndpoint – Shows the information of an individual SIP endpoint. Functionally similar to
Asterisk’s SIPshowpeer command.
• PJSIPShowEndpoint – Shows the information of all SIP endpoints. Functionally similar to Asteriks’s
SIPshowpeer command.

Will the new firmware fix the problem with no further input from me or do I need to adjust some new settings?


#4

this is the latest fw for the UCM6100 series, if you have not updated, update, if you have already updated you should open a ticket.

http://firmware.grandstream.com/Release_Note_UCM61xx_1.0.18.17.pdf