[asterisk-announce] AST-2019-006: SIP request can change address of a SIP peer.
Asterisk Project Security Advisory - AST-2019-006 ProductAsterisk SummarySIP request can change address of a SIP peer. Nature of Advisory Denial of Service SusceptibilityRemote Unauthenticated Sessions Severity Minor Exploits KnownNo Reported On October 17, 2019 Reported By Andrey V. T. Posted On November 21, 2019 Last Updated OnNovember 21, 2019 Advisory Contact bford AT sangoma DOT com CVE Name CVE-2019-18790 Description A SIP request can be sent to Asterisk that can change a SIP peerâs IP address. A REGISTER does not need to occur, and calls can be hijacked as a result. The only thing that needs to be known is the peerâs name; authentication details such as passwords do not need to be known. This vulnerability is only exploitable when the ânatâ option is set to the default, or âauto_force_rportâ. Modules Affected channels/chan_sip.c Resolution Using any other option value for ânatâ will prevent the attack (such as ânat=noâ or ânat=force_rportâ), but will need to be tested on an individual basis to ensure that it works for the userâs deployment. On the fixed versions of Asterisk, it will no longer set the address of the peer before authentication is successful when a SIP request comes in. Affected Versions Product Release Series Asterisk Open Source 13.xAll releases Asterisk Open Source 16.xAll releases Asterisk Open Source 17.xAll releases Certified Asterisk 13.21 All releases Corrected In Product Release Asterisk Open Source13.29.2 Asterisk Open Source16.6.2 Asterisk Open Source17.0.1 Certified Asterisk 13.21-cert5 Patches SVN URLRevision http://downloads.asterisk.org/pub/security/AST-2019-006-13.diffAsterisk 13 http://downloads.asterisk.org/pub/security/AST-2019-006-16.diffAsterisk 16 http://downloads.asterisk.org/pub/security/AST-2019-006-17.diffAsterisk 17 http://downloads.asterisk.org/pub/security/AST-2019-006-13.21.diff Certified Asterisk 13.21-cert5 Links https://issues.asterisk.org/jira/browse/ASTERISK-28589 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2019-006.pdf and http://downloads.digium.com/pub/security/AST-2019-006.html Revision History Date Editor Revisions Made October 22, 2019 Ben Ford Initial Revision November 14, 2019 Ben Ford Corrected and updated fields for versioning, and added CVE November 21, 2019 Ben Ford Added âPosted Onâ date
[asterisk-announce] AST-2019-007: AMI user could execute system commands.
Asterisk Project Security Advisory - AST-2019-007 ProductAsterisk SummaryAMI user could execute system commands. Nature of Advisory Remote Code Execution SusceptibilityRemote Authenticated Sessions Severity Minor Exploits KnownNo Reported On October 10, 2019 Reported By Eliel Sardañons Posted On November 21, 2019 Last Updated OnNovember 21, 2019 Advisory Contact gjoseph AT digium DOT com CVE Name CVE-2019-18610 Description A remote authenticated Asterisk Manager Interface (AMI) user without âsystemâ authorization could use a specially crafted âOriginateâ AMI request to execute arbitrary system commands. Modules Affected manager.c Resolution The specific parameters of the Originate AMI request that allowed the remote code execution are now blocked if the user does not have the âsystemâ authorization. Affected Versions Product Release Series Asterisk Open Source 13.xAll releases Asterisk Open Source 16.xAll releases Asterisk Open Source 17.xAll releases Certified Asterisk 13.21 All releases Corrected In Product Release Asterisk Open Source13.29.2 Asterisk Open Source16.6.2 Asterisk Open Source17.0.1 Certified Asterisk 13.21-cert5 Patches SVN URLRevision http://downloads.asterisk.org/pub/security/AST-2019-007-13.diffAsterisk 13 http://downloads.asterisk.org/pub/security/AST-2019-007-16.diffAsterisk 16 http://downloads.asterisk.org/pub/security/AST-2019-007-17.diffAsterisk 17 http://downloads.asterisk.org/pub/security/AST-2019-007-13.21.diff Certified Asterisk 13.21-cert5 Links https://issues.asterisk.org/jira/browse/ASTERISK-28580 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2019-007.pdf and http://downloads.digium.com/pub/security/AST-2019-007.html Revision History DateEditor Revisions Made October 24, 2019 George Joseph Initial Revision November 21, 2019 Ben Ford Added âPosted Onâ date Asterisk Project Security Advisory - AST-2019-007 Copyright © 2019 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-announce mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-announce
[asterisk-announce] Asterisk 13.29.2, 16.6.2, 17.0.1 and 13.21-cert5 Now Available (Security)
The Asterisk Development Team would like to announce security releases for Asterisk 13, 16 and 17, and Certified Asterisk 13.21. The available releases are released as versions 13.29.2, 16.6.2, 17.0.1 and 13.21-cert5. These releases are available for immediate download at https://downloads.asterisk.org/pub/telephony/asterisk/releases https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases The following security vulnerabilities were resolved in these versions: * AST-2019-006: SIP request can change address of a SIP peer. A SIP request can be sent to Asterisk that can change a SIP peerâs IP address. A REGISTER does not need to occur, and calls can be hijacked as a result. The only thing that needs to be known is the peerâs name; authentication details such as passwords do not need to be known. This vulnerability is only exploitable when the ânatâ option is set to the default, or âauto_force_rportâ. * AST-2019-007: AMI user could execute system commands. A remote authenticated Asterisk Manager Interface (AMI) user without âsystemâ authorization could use a specially crafted âOriginateâ AMI request to execute arbitrary system commands. * AST-2019-008: Re-invite with T.38 and malformed SDP causes crash. If Asterisk receives a re-invite initiating T.38 faxing and has a port of 0 and no c line in the SDP, a crash will occur. For a full list of changes in the current releases, please see the ChangeLogs: https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.29.2 https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-16.6.2 https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-17.0.1 https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-13.21-cert5 The security advisories are available at: https://downloads.asterisk.org/pub/security/AST-2019-006.pdf https://downloads.asterisk.org/pub/security/AST-2019-007.pdf https://downloads.asterisk.org/pub/security/AST-2019-008.pdf Thank you for your continued support of Asterisk!-- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-announce mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-announce
[asterisk-announce] AST-2019-008: Re-invite with T.38 and malformed SDP causes crash.
Asterisk Project Security Advisory - ProductAsterisk SummaryRe-invite with T.38 and malformed SDP causes crash. Nature of Advisory Remote Crash SusceptibilityRemote Authenticated Sessions Severity Minor Exploits KnownNo Reported On November 07, 2019 Reported By Salah Ahmed Posted On November 21, 2019 Last Updated OnNovember 21, 2019 Advisory Contact bford AT sangoma DOT com CVE Name CVE-2019-18976 Description If Asterisk receives a re-invite initiating T.38 faxing and has a port of 0 and no c line in the SDP, a crash will occur. Modules Affected res_pjsip_t38.c Resolution If T.38 faxing is not needed, then the ât38_udptlâ configuration option in pjsip.conf can be set to ânoâ to disable the functionality. This option automatically defaults to ânoâ and would have to be manually turned on to experience this crash. If T.38 faxing is needed, then Asterisk should be upgraded to a fixed version. Affected Versions Product Release Series Asterisk Open Source 13.xAll versions Certified Asterisk 13.21 All versions Corrected In Product Release Asterisk Open Source13.29.2 Certified Asterisk 13.21-cert5 Patches SVN URLRevision http://downloads.asterisk.org/pub/security/AST-2019-008-13.diffAsterisk 13 http://downloads.asterisk.org/pub/security/AST-2019-008-13.21.diff Certified Asterisk 13.21-cert5 Links https://issues.asterisk.org/jira/browse/ASTERISK-28612 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/.pdf and http://downloads.digium.com/pub/security/.html Revision History Date Editor Revisions Made November 12, 2019 Ben Ford Initial Revision November 21, 2019 Ben Ford Added âPosted Onâ date Asterisk Project Security Advisory - Copyright © 2019 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-announce mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-announce
