Asterisk Project Security Advisory - AST-2022-002 Product Asterisk Summary res_stir_shaken: SSRF vulnerability with Identity header Nature of Advisory Server-side request forgery Susceptibility Remote unauthenticated access Severity Major Exploits Known No Reported On Jun 10, 2021 Reported By Clint Ruoho Posted On Apr 14, 2022 Last Updated On April 13, 2022 Advisory Contact bford AT sangoma DOT com CVE Name CVE-2022-26499 Description When using STIR/SHAKEN, it’s possible to send arbitrary requests like GET to interfaces such as localhost using the Identity header. Modules Affected res_stir_shaken Resolution If you are using STIR/SHAKEN in Asterisk, upgrade to one of the versions listed below to get a new configuration option: stir_shaken_profile. This can be configured in stir_shaken.conf and set on a per endpoint basis in pjsip.conf. This option will take priority over the stir_shaken option. The stir_shaken_profile will contain the stir_shaken option (attest, verify, or both), as well as ACL configuration options to permit and deny specific IP addresses / hosts. The ACL will be used for the public key URL we receive in the Identity header, which is used to tell Asterisk where to download the public certificate. An ACL from acl.conf can be used, but you can specify your own permit and deny lines within the profile itself. A combination of both can also be used. Note that this patch contains changes that affect the same area as the patch from AST-2022-001. It is recommended that you upgrade to a listed version, otherwise you might encounter merge conflicts. Affected Versions Product Release Series Asterisk Open Source 16.x 16.15.0 and after Asterisk Open Source 18.x All versions Asterisk Open Source 19.x All versions Corrected In Product Release Asterisk Open Source 16.25.2, 18.11.2, 19.3.2 Patches Patch URL Revision https://downloads.digium.com/pub/security/AST-2022-002-16.diff Asterisk 16 https://downloads.digium.com/pub/security/AST-2022-002-18.diff Asterisk 18 https://downloads.digium.com/pub/security/AST-2022-002-19.diff Asterisk 19 Links https://issues.asterisk.org/jira/browse/ASTERISK-29476 https://downloads.asterisk.org/pub/security/AST-2022-002.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2022-002.pdf and https://downloads.digium.com/pub/security/AST-2022-002.html Revision History Date Editor Revisions Made Apr 13, 2022 Ben Ford Initial revision Asterisk Project Security Advisory - AST-2022-002 Copyright © 01/19/2022 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.