Comments (8)
This is the first time you have mentioned at all that you have identified an actual exploitable method based on the security information and practices you've been talking about. Please use the Security Vulnerability report process of the project to privately report the details:
https://github.com/asterisk/asterisk/security/advisories/new
It will then be triaged, identified, scheduled, and a CVE issued when a release occurs.
A public Github issue is not the location to discuss any further detail.
from asterisk.
Also, 17 cases of 0777
world read/write/execute isn't great. Files like logs should probably be 744 for read only, and 755 for directories that need read+execute:
https://github.com/search?q=repo%3Aasterisk%2Fasterisk+0777&type=code
I don't think there is any usecase here for chmod 777, and the mis-usecase is tampering with sensitive log files and memory corruption. It would be great to see these updated along with #316 in a cumulative CVE and permissions-harding patch.
from asterisk.
Do I need to submit a PR and contact Mitre for a CVE? What is the next step here?
from asterisk.
The issue has been triaged, accepted, and is in queue. Unless you are familiar with Asterisk itself, I wouldn't recommend making changes because fundamentally altering behavior (such as not allowing root) even in this case is going to require discussion, research, and understanding all of the repercussions. If a CVE is warranted in some way then it will be requested when this work is undertaken.
from asterisk.
from asterisk.
@jcolp There is other software (such as VLC) which by default will not let you run it as root. A compromise could be to only allow Asterisk to run as root if the user passes a flag to allow to run as root even though it's highly not recommended.
from asterisk.
@dovi5988 Yes, there are options and possibilities.
from asterisk.
@jcolp Sorry for the delay on the writeup, I am installing the latest version and getting a proper writeup so that we can have a good discussion.
@dovi5988 A security override this doesn't bother me, I have seen this in other products. As long as it defaults to a safe condition and writes in the log each time that it is deployed in an insecure way - then there isn't a chance of a silent bug. The point of the log write is for a large organization that uses ELK or another log management system, they can track security anomalies, and this fits. The security team may not be aware of how the VOIP team deployed or reconfigured Asterisk, so this makes sure that the organization is aware of the risk, and a descriptive warning message in the log file can do this.
from asterisk.
Related Issues (20)
- [bug]: shared variables mostly fail to work when using prefix method HOT 14
- [bug]: SayUnixTime: Sound "and" expected under digits/ HOT 1
- [bug]: Watchers for call parking being deactivated during reload HOT 3
- [bug]: Park() application does not continue execution if lot is full HOT 15
- [bug]: Contact header in REGISTER response contains incorrect IPv6 address and port with multiple Contacts HOT 15
- [bug]: Unstable memory usage after multiple diaplan reload, no memory leak HOT 2
- [bug]: app_voicemail: Multiple executions of unit tests cause segfault
- [bug]: First call after system being idle, res_timing_pthread module causes high cpu usage. HOT 1
- [bug]: make install doesn't create the stir_shaken cache directory
- [bug]: Possible SEGV in res_stir_shaken due to wrong free function
- [bug]: app.c:3114 parse_options: Unrecognized option: 'X' when Monitor has b parameter HOT 3
- [improvement]: Allow for attended transfer to complete while in early state HOT 3
- [bug]: Prometheus bridge metrics contains duplicate entries and help
- [new-feature]: pjsip show contact -- show all details same as AMI PJSIPShowContacts HOT 1
- [bug]: Occasional SEGV in res_pjsip_stir_shaken.c
- [improvement]: Document EXTEN can include options/parameters for PJSIP HOT 11
- [improvement]: pjsip: Upgrade bundled version to pjproject 2.14.1
- [bug]: create_tables.py fails when trying to create MySQL 8.3 tables. HOT 2
- [improvement]: reduce boot time by ~20% by removing unnecessary xml config queries HOT 2
- [improvement]: Increase length of realtime host HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from asterisk.