AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses.
authorRichard Mudgett <rmudgett@digium.com>
Mon, 30 Apr 2018 22:38:58 +0000 (17:38 -0500)
committerRichard Mudgett <rmudgett@digium.com>
Mon, 11 Jun 2018 15:28:43 +0000 (09:28 -0600)
commit81ac32a85f605ac9280a61983be271e07032bacb
treefe8879e835ad5a773f3beef657a386e8bf65c6b0
parent9f2eb170054bd97b3a29f3ce3bdae5bac02fd052
AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses.

When endpoint specific ACL rules block a SIP request they respond with a
403 forbidden.  However, if an endpoint is not identified then a 401
unauthorized response is sent.  This vulnerability just discloses which
requests hit a defined endpoint.  The ACL rules cannot be bypassed to gain
access to the disclosed endpoints.

* Made endpoint specific ACL rules now respond with a 401 unauthorized
which is the same as if an endpoint were not identified.  The fix is
accomplished by replacing the found endpoint with the artificial endpoint
which always fails authentication.

ASTERISK-27818

Change-Id: Icb275a54ff8e2df6c671a6d9bda37b5d732b3b32
res/res_pjsip/pjsip_distributor.c