Asterisk SIP MESSAGE Request Identity Spoofing Vulnerability

A vulnerability exists in Asterisk's handling of SIP MESSAGE requests, specifically in versions prior to 18.26.2, 20.14.1, 21.9.1, and 22.4.1, as well as certified-asterisk versions prior to 18.9-cert14 and 20.7-cert5. The issue arises because the authentication of these SIP requests does not align properly, allowing authenticated attackers to spoof user identities and send spam messages using the victim's authorization token. This can mislead recipients into believing the messages are from trusted sources, including administrators who adhere to security best practices. The vulnerability can facilitate social engineering, phishing, and similar attacks.

Impact

Exploitation of this vulnerability allows authenticated attackers to send fraudulent chat messages that appear to come from trusted individuals or entities, potentially leading to spam and social engineering attacks.

Reproduction

To reproduce this vulnerability, configure the Asterisk PJSIP transport to accept messages. Set up an endpoint for the attacker and another for the victim, ensuring both are authenticated. The attacker can then send a MESSAGE request that includes a spoofed From header, using the victim's authorization token to deliver a fake message that appears to come from a trusted source.

Remediation

Users can upgrade to Asterisk versions 18.26.2, 20.14.1, 21.9.1, or 22.4.1, or to certified-asterisk versions 18.9-cert14 or 20.7-cert5.