CVE-2022-26499: 
NixOS vulnerability analysis and mitigation

CVE-2022-26499 is a Server-Side Request Forgery (SSRF) vulnerability discovered in Asterisk through 19.x. The vulnerability was reported on June 10, 2021, and publicly disclosed on April 14, 2022. It affects Asterisk Open Source versions 16.15.0 and later, all versions of 18.x, and all versions of 19.x through 19.3.1. The issue was fixed in versions 16.25.2, 18.11.2, and 19.3.2 (Asterisk Advisory).

The vulnerability exists in the STIR/SHAKEN implementation where an attacker can send arbitrary requests (such as GET) to interfaces like localhost by manipulating the Identity header. The issue is classified as a Server-Side Request Forgery (SSRF) vulnerability with a CVSS v3.1 Base Score of 9.1 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (NVD).

The vulnerability allows remote unauthenticated attackers to send arbitrary requests to internal interfaces, potentially leading to information disclosure and system compromise. The severity is rated as 'Major' by the vendor, affecting the resstirshaken module (Asterisk Advisory).

The fix introduces a new configuration option called 'stirshakenprofile' that can be configured in stirshaken.conf and set on a per endpoint basis in pjsip.conf. This profile contains the stirshaken option and ACL configuration options to permit and deny specific IP addresses/hosts. The ACL is used to control access to the public key URL received in the Identity header (Asterisk Advisory).