[asterisk-users] AST-2022-003: func_odbc: Possible SQL Injection
Asterisk Project Security Advisory - AST-2022-003 Product Asterisk Summary func_odbc: Possible SQL Injection Nature of Advisory SQL injection Susceptibility Remote unauthenticated sessions SeverityLow Exploits Known No Reported On January 5, 2022 Reported By Leandro Dardini Posted OnApril 14, 2022 Last Updated On April 12, 2022 Advisory ContactJcolp AT sangoma DOT com CVE NameCVE-2022-26651 Description Some databases can use backslashes to escape certain characters, such as backticks. If input is provided to func_odbc which includes backslashes it is possible for func_odbc to construct a broken SQL query and the SQL query to fail. Additionally while it has not yet been reproduced this security advisory is also being published to cover the case of SQL injection with the aim of database manipulation by an outside party. Modules Affected func_odbc Resolution A new dialplan function, SQL_ESC_BACKSLASHES, has been added to the func_odbc module which will escape backslashes. If your usage of func_odbc may have input which includes backslashes and your database uses backslashes to escape backticks then use the dialplan function to escape the backslashes. A second option is to disable support for backslashes for escaping in your database if the underlying database supports it. Affected Versions Product Release Series Asterisk Open Source 16.x All versions Asterisk Open Source 18.x All versions Asterisk Open Source 19.x All versions Certified Asterisk 16.x All versions Corrected In Product Release Asterisk Open Source 16.25.2, 18.11.2, 19.3.2 Certified Asterisk 16.8-cert14 Patches Patch URL Revision https://downloads.digium.com/pub/security/AST-2022-003-16.diff Asterisk 16 https://downloads.digium.com/pub/security/AST-2022-003-18.diff Asterisk 18 https://downloads.digium.com/pub/security/AST-2022-003-19.diff Asterisk 19 https://downloads.digium.com/pub/security/AST-2022-003-16.8.diff Certified Asterisk 16.8 Links https://issues.asterisk.org/jira/browse/ASTERISK-29838 https://downloads.asterisk.org/pub/security/AST-2022-003.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2022-003.pdf and
[asterisk-users] AST-2022-002: res_stir_shaken: SSRF vulnerability with Identity header
Asterisk Project Security Advisory - AST-2022-002 ProductAsterisk Summaryres_stir_shaken: SSRF vulnerability with Identity header Nature of Advisory Server-side request forgery SusceptibilityRemote unauthenticated access Severity Major Exploits KnownNo Reported On Jun 10, 2021 Reported By Clint Ruoho Posted On Apr 14, 2022 Last Updated OnApril 13, 2022 Advisory Contact bford AT sangoma DOT com CVE Name CVE-2022-26499 Description When using STIR/SHAKEN, itâs possible to send arbitrary requests like GET to interfaces such as localhost using the Identity header. Modules Affected res_stir_shaken Resolution If you are using STIR/SHAKEN in Asterisk, upgrade to one of the versions listed below to get a new configuration option: stir_shaken_profile. This can be configured in stir_shaken.conf and set on a per endpoint basis in pjsip.conf. This option will take priority over the stir_shaken option. The stir_shaken_profile will contain the stir_shaken option (attest, verify, or both), as well as ACL configuration options to permit and deny specific IP addresses / hosts. The ACL will be used for the public key URL we receive in the Identity header, which is used to tell Asterisk where to download the public certificate. An ACL from acl.conf can be used, but you can specify your own permit and deny lines within the profile itself. A combination of both can also be used. Note that this patch contains changes that affect the same area as the patch from AST-2022-001. It is recommended that you upgrade to a listed version, otherwise you might encounter merge conflicts. Affected Versions Product Release Series Asterisk Open Source16.x 16.15.0 and after Asterisk Open Source18.x All versions Asterisk Open Source19.x All versions Corrected In Product Release Asterisk Open Source 16.25.2, 18.11.2, 19.3.2 Patches Patch URL Revision https://downloads.digium.com/pub/security/AST-2022-002-16.diff Asterisk 16 https://downloads.digium.com/pub/security/AST-2022-002-18.diff Asterisk 18 https://downloads.digium.com/pub/security/AST-2022-002-19.diff Asterisk 19 Links https://issues.asterisk.org/jira/browse/ASTERISK-29476 https://downloads.asterisk.org/pub/security/AST-2022-002.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2022-002.pdf and https://downloads.digium.com/pub/security/AST-2022-002.html Revision History Date Editor Revisions Made
[asterisk-users] AST-2022-001: res_stir_shaken: resource exhaustion with large files
Asterisk Project Security Advisory - AST-2022-001 ProductAsterisk Summaryres_stir_shaken: resource exhaustion with large files Nature of Advisory Resource exhaustion SusceptibilityRemote unauthenticated access Severity Major Exploits KnownNo Reported On Jan 21, 2022 Reported By Ben Ford Posted On Apr 14, 2022 Last Updated OnApril 13, 2022 Advisory Contact bford AT sangoma DOT com CVE Name CVE-2022-26498 Description When using STIR/SHAKEN, itâs possible to download files that are not certificates. These files could be much larger than what you would expect to download. Modules Affected res_stir_shaken Resolution If you are using STIR/SHAKEN in Asterisk, upgrade to one of the versions listed below. Asterisk now checks the downloaded file to see if itâs actually a certificate or if it is larger than what is expected. If not upgrading, the curl_timeout option in stir_shaken.conf should be utilized so that downloads do not last an extended period of time. Affected Versions Product Release Series Asterisk Open Source16.x 16.15.0 and after Asterisk Open Source18.x All versions Asterisk Open Source19.x All versions Corrected In Product Release Asterisk Open Source 16.25.2, 18.11.2, 19.3.2 Patches Patch URL Revision https://downloads.digium.com/pub/security/AST-2022-001-16.diff Asterisk 16 https://downloads.digium.com/pub/security/AST-2022-001-18.diff Asterisk 18 https://downloads.digium.com/pub/security/AST-2022-001-19.diff Asterisk 19 Links https://issues.asterisk.org/jira/browse/ASTERISK-29872 https://downloads.asterisk.org/pub/security/AST-2022-001.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2022-001.pdf and https://downloads.digium.com/pub/security/AST-2022-001.html Revision History Date Editor Revisions Made Apr 13, 2022 Ben FordInitial revision Asterisk Project Security Advisory - AST-2022-001 Copyright © 01/19/2022 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2022-006: pjproject: unconstrained malformed multipart SIP message
Asterisk Project Security Advisory - AST-2022-006 ProductAsterisk Summarypjproject: unconstrained malformed multipart SIP message Nature of Advisory Out of bounds memory access SusceptibilityRemote unauthenticated sessions Severity Minor Exploits KnownYes Reported On March 3, 2022 Reported By Sauw Ming Posted On March 4, 2022 Last Updated OnMarch 3, 2022 Advisory Contact kharwell AT sangoma DOT com CVE Name CVE-2022-21723 Description If an incoming SIP message contains a malformed multi-part body an out of bounds read access may occur, which can result in undefined behavior. Note, itâs currently uncertain if there is any externally exploitable vector within Asterisk for this issue, but providing this as a security issue out of caution. Modules Affected bundled pjproject Resolution If you use âwith-pjproject-bundledâ then upgrade to, or install one of, the versions of Asterisk listed below. Otherwise install the appropriate version of pjproject that contains the patch. Affected Versions Product Release Series Asterisk Open Source 16.x All versions Asterisk Open Source 18.x All versions Asterisk Open Source 19.x All versions Certified Asterisk 16.x All versions Corrected In Product Release Asterisk Open Source16.24.1,18.10.1,19.2.1 Certified Asterisk 16.8-cert13 Patches Patch URL Revision https://downloads.digium.com/pub/security/AST-2022-006-16.diff Asterisk 16 https://downloads.digium.com/pub/security/AST-2022-006-18.diff Asterisk 18 https://downloads.digium.com/pub/security/AST-2022-006-19.diff Asterisk 19 https://downloads.digium.com/pub/security/AST-2022-006-16.8.diff Certified Asterisk 16.8 Links https://issues.asterisk.org/jira/browse/ASTERISK-29945 https://downloads.asterisk.org/pub/security/AST-2022-006.html https://github.com/pjsip/pjproject/security/advisories/GHSA-7fw8-54cv-r7pm Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2022-006.pdf and https://downloads.digium.com/pub/security/AST-2022-006.html Revision History Date Editor Revisions Made March 3, 2022 Kevin Harwell Initial revision Asterisk Project Security Advisory - AST-2022-006 Copyright © 2022 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. --
[asterisk-users] AST-2022-005: pjproject: undefined behavior after freeing a dialog set
Asterisk Project Security Advisory - AST-2022-005 ProductAsterisk Summarypjproject: undefined behavior after freeing a dialog set Nature of Advisory Denial of service SusceptibilityRemote unauthenticated sessions Severity Major Exploits KnownYes Reported On March 3, 2022 Reported By Sauw Ming Posted On March 4, 2022 Last Updated OnMarch 3, 2022 Advisory Contact kharwell AT sangoma DOT com CVE Name CVE-2022-23608 Description When acting as a UAC, and when placing an outgoing call to a target that then forks Asterisk may experience undefined behavior (crashes, hangs, etcâ¦) after a dialog set is prematurely freed. Modules Affected bundled pjproject Resolution If you use âwith-pjproject-bundledâ then upgrade to, or install one of, the versions of Asterisk listed below. Otherwise install the appropriate version of pjproject that contains the patch. Affected Versions Product Release Series Asterisk Open Source 16.x All versions Asterisk Open Source 18.x All versions Asterisk Open Source 19.x All versions Certified Asterisk 16.x All versions Corrected In Product Release Asterisk Open Source16.24.1,18.10.1,19.2.1 Certified Asterisk 16.8-cert13 Patches Patch URL Revision https://downloads.digium.com/pub/security/AST-2022-005-16.diff Asterisk 16 https://downloads.digium.com/pub/security/AST-2022-005-18.diff Asterisk 18 https://downloads.digium.com/pub/security/AST-2022-005-19.diff Asterisk 19 https://downloads.digium.com/pub/security/AST-2022-005-16.8.diff Certified Asterisk 16.8 Links https://issues.asterisk.org/jira/browse/ASTERISK-29945 https://downloads.asterisk.org/pub/security/AST-2022-005.html https://github.com/pjsip/pjproject/security/advisories/GHSA--m5fm-qm62 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2022-005.pdf and https://downloads.digium.com/pub/security/AST-2022-005.html Revision History Date Editor Revisions Made March 3, 2022 Kevin Harwell Initial revision Asterisk Project Security Advisory - AST-2022-005 Copyright © 2022 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk
[asterisk-users] AST-2022-004: pjproject: integer underflow on STUN message
Asterisk Project Security Advisory - AST-2022-004 ProductAsterisk Summarypjproject: possible integer underflow on STUN message Nature of Advisory Arbitrary code execution SusceptibilityRemote unauthenticated sessions Severity Major Exploits KnownYes Reported On March 3, 2022 Reported By Sauw Ming Posted On March 4, 2022 Last Updated OnMarch 3, 2022 Advisory Contact kharwell AT sangoma DOT com CVE Name CVE-2021-37706 Description The header length on incoming STUN messages that contain an ERROR-CODE attribute is not properly checked. This can result in an integer underflow. Note, this requires ICE or WebRTC support to be in use with a malicious remote party. Modules Affected bundled pjproject Resolution If you use âwith-pjproject-bundledâ then upgrade to, or install one of, the versions of Asterisk listed below. Otherwise install the appropriate version of pjproject that contains the patch. Affected Versions Product Release Series Asterisk Open Source 16.x All versions Asterisk Open Source 18.x All versions Asterisk Open Source 19.x All versions Certified Asterisk 16.x All versions Corrected In Product Release Asterisk Open Source16.24.1,18.10.1,19.2.1 Certified Asterisk 16.8-cert13 Patches Patch URL Revision https://downloads.digium.com/pub/security/AST-2022-004-16.diff Asterisk 16 https://downloads.digium.com/pub/security/AST-2022-004-18.diff Asterisk 18 https://downloads.digium.com/pub/security/AST-2022-004-19.diff Asterisk 19 https://downloads.digium.com/pub/security/AST-2022-004-16.8.diff Certified Asterisk 16.8 Links https://issues.asterisk.org/jira/browse/ASTERISK-29945 https://downloads.asterisk.org/pub/security/AST-2022-004.html https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2022-004.pdf and https://downloads.digium.com/pub/security/AST-2022-004.html Revision History Date Editor Revisions Made March 3, 2022 Kevin Harwell Initial revision Asterisk Project Security Advisory - AST-2022-004 Copyright © 2022 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and
[asterisk-users] AST-2021-009: pjproject/pjsip: crash when SSL socket destroyed during handshake
Asterisk Project Security Advisory - AST-2021-009 ProductAsterisk Summarypjproject/pjsip: crash when SSL socket destroyed during handshake Nature of Advisory Denial of service SusceptibilityRemote unauthenticated sessions Severity Major Exploits KnownYes Reported On May 5, 2021 Reported By Andrew Yager Posted On Last Updated OnJuly 6, 2021 Advisory Contact kharwell AT sangoma DOT com CVE Name CVE-2021-32686 Description Depending on the timing, itâs possible for Asterisk to crash when using a TLS connection if the underlying socket parent/listener gets destroyed during the handshake. Modules Affected bundled pjproject Resolution If you use âwith-pjproject-bundledâ then upgrade to, or install one of, the versions of Asterisk listed below. Otherwise install the appropriate version of pjproject that contains the patch. Affected Versions Product Release Series Asterisk Open Source 13.x All versions Asterisk Open Source 16.x All versions Asterisk Open Source 17.x All versions Asterisk Open Source 18.x All versions Certified Asterisk 16.x All versions Corrected In Product Release Asterisk Open Source 13.38.3, 16.19.1, 17.9.4, 18.5.1 Certified Asterisk 16.8-cert10 Patches Patch URL Revision https://downloads.digium.com/pub/security/AST-2021-009-13.diff Asterisk 13 https://downloads.digium.com/pub/security/AST-2021-009-16.diff Asterisk 16 https://downloads.digium.com/pub/security/AST-2021-009-17.diff Asterisk 17 https://downloads.digium.com/pub/security/AST-2021-009-18.diff Asterisk 18 https://downloads.digium.com/pub/security/AST-2021-009-16.8.diff Certified Asterisk 16.8 Links https://issues.asterisk.org/jira/browse/ASTERISK-29415 https://downloads.asterisk.org/pub/security/AST-2021-009.html https://github.com/pjsip/pjproject/security/advisories/GHSA-cv8x-p47p-99wr Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2021-009.pdf and https://downloads.digium.com/pub/security/AST-2021-009.html Revision History Date Editor Revisions Made June 14, 2021 Kevin Harwell Initial revision Asterisk Project Security Advisory - AST-2021-009 Copyright © 2021 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered
[asterisk-users] AST-2021-008: Remote crash when using IAX2 channel driver
Asterisk Project Security Advisory - AST-2021-008 Product Asterisk Summary Remote crash when using IAX2 channel driver Nature of Advisory Denial of service Susceptibility Remote unauthenticated sessions SeverityMajor Exploits Known No Reported On April 13, 2021 Reported By Michael Welk Posted On Last Updated On July 6, 2021 Advisory Contactkharwell AT sangoma DOT com CVE NameCVE-2021-32558 Description If the IAX2 channel driver receives a packet that contains an unsupported media format it can cause a crash to occur in Asterisk. Modules Affected chan_iax2.c Resolution Checks are now in place that make it so packets containing unsupported media formats are ignored/dropped in the IAX2 channel driver. This ensures Asterisk no longer crashes. Affected Versions Product Release Series Asterisk Open Source 13.x All versions Asterisk Open Source 16.x All versions Asterisk Open Source 17.x All versions Asterisk Open Source 18.x All versions Certified Asterisk 16.8 All versions Corrected In Product Release Asterisk Open Source 13.38.3, 16.19.1, 17.9.4, 18.5.1 Certified Asterisk 16.8-cert10 Patches Patch URL Revision http://downloads.digium.com/pub/security/AST-2021-008-13.diff Asterisk 13 http://downloads.digium.com/pub/security/AST-2021-008-16.diff Asterisk 16 http://downloads.digium.com/pub/security/AST-2021-008-17.diff Asterisk 17 http://downloads.digium.com/pub/security/AST-2021-008-18.diff Asterisk 18 http://downloads.digium.com/pub/security/AST-2021-008-16.8.diff Certified Asterisk 16.8 Links https://issues.asterisk.org/jira/browse/ASTERISK-29392 https://downloads.asterisk.org/pub/security/AST-2021-008.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2021-008.pdf and http://downloads.digium.com/pub/security/AST-2021-008.html Revision History Date Editor Revisions Made May 10, 2021 Kevin Harwell Initial revision Asterisk Project Security Advisory - AST-2021-008 Copyright © 2021 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit:
[asterisk-users] AST-2021-007: Remote Crash Vulnerability in PJSIP channel driver
Asterisk Project Security Advisory - AST-2021-007 ProductAsterisk SummaryRemote Crash Vulnerability in PJSIP channel driver Nature of Advisory Denial of Service Susceptibility Remote Authenticated Sessions SeverityModerate Exploits Known No Reported On April 6, 2021 Reported By Ivan Poddubny Posted On Last Updated OnJuly 6, 2021 Advisory ContactJcolp AT sangoma DOT com CVE NameCVE-2021-31878 Description When Asterisk receives a re-INVITE without SDP after having sent a BYE request a crash will occur. This occurs due to the Asterisk channel no longer being present while code assumes it is. Modules Affected res_pjsip_session.c Resolution Upgrade to one of the fixed versions of Asterisk or apply the appropriate patch. Affected Versions Product Release Series Asterisk Open Source 16.x 16.17.0, 16.18.0, 16.19.0 Asterisk Open Source 18.x 18.3.0, 18.4.0, 18.5.0 Corrected In Product Release Asterisk Open Source 16.19.1, 18.5.1 Patches Patch URL Revision https://downloads.digium.com/pub/security/AST-2021-007-16.diff Asterisk 16 https://downloads.digium.com/pub/security/AST-2021-007-18.diff Asterisk 18 Links https://issues.asterisk.org/jira/browse/ASTERISK-29381 https://downloads.asterisk.org/pub/security/AST-2021-007.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2021-007.pdf and https://downloads.digium.com/pub/security/AST-2021-007.html Revision History Date Editor Revisions Made April 28, 2021 Joshua Colp Initial revision Asterisk Project Security Advisory - AST-2021-007 Copyright © 2021 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2021-006: Crash when negotiating T.38 with a zero port
Asterisk Project Security Advisory - AST-2021-006 ProductAsterisk SummaryCrash when negotiating T.38 with a zero port Nature of Advisory Remote Crash SusceptibilityRemote Authenticated Sessions Severity Minor Exploits KnownNo Reported On February 20, 2021 Reported By Gregory Massel Posted On Last Updated OnFebruary 25, 2021 Advisory Contact bford AT sangoma DOT com CVE Name CVE-2019-15297 Description When Asterisk sends a re-invite initiating T.38 faxing and the endpoint responds with a m=image line and zero port, a crash will occur in Asterisk. This is a reoccurrence of AST-2019-004. Modules Affected res_pjsip_t38.c Resolution If T.38 faxing is not required then setting ât38_udptlâ on the endpoint to ânoâ disables this functionality. This option is ânoâ by default. If T.38 faxing is required, then Asterisk should be upgraded to a fixed version. Affected Versions ProductRelease Series Asterisk Open Source 16.x16.16.1 Asterisk Open Source 17.x17.9.2 Asterisk Open Source 18.x18.2.1 Certified Asterisk16.x16.8-cert6 Corrected In Product Release Asterisk Open Source 16.16.2, 17.9.3, 18.2.2 Certified Asterisk 16.8-cert7 Patches Patch URL Revision https://downloads.digium.com/pub/security/AST-2021-006-16.diff Asterisk 16 https://downloads.digium.com/pub/security/AST-2021-006-17.diff Asterisk 17 https://downloads.digium.com/pub/security/AST-2021-006-18.diff Asterisk 18 https://downloads.digium.com/pub/security/AST-2021-006-16.8.diff Certified Asterisk 16.8 Links https://issues.asterisk.org/jira/browse/ASTERISK-29203 https://downloads.asterisk.org/pub/security/AST-2021-006.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2021-006.pdf and https://downloads.digium.com/pub/security/AST-2021-006.html Revision History Date EditorRevisions Made February 25, 2021 Ben Ford Initial revision Asterisk Project Security Advisory - AST-2021-006 Copyright © 02/25/2021 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New
[asterisk-users] AST-2021-005: Remote Crash Vulnerability in PJSIP channel driver
Asterisk Project Security Advisory - AST-2021-005 ProductAsterisk SummaryRemote Crash Vulnerability in PJSIP channel driver Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated Sessions SeverityModerate Exploits Known No Reported On December 4, 2020 Reported By Mauri de Souza Meneguzzo (3CPlus) Posted On February 8, 2021 Last Updated OnFebruary 8, 2021 Advisory ContactJcolp AT sangoma DOT com CVE NameCVE-2021-26906 Description Given a scenario where an outgoing call is placed from Asterisk to a remote SIP server it is possible for a crash to occur. The code responsible for negotiating SDP in SIP responses incorrectly assumes that SDP negotiation will always be successful. If a SIP response containing an SDP that can not be negotiated is received a subsequent SDP negotiation on the same call can cause a crash. If the âaccept_multiple_sdp_answersâ option in the âsystemâ section of pjsip.conf is set to âyesâ then any subsequent non-forked SIP response with SDP can trigger this crash. If the âfollow_early_media_forkâ option in the âsystemâ section of pjsip.conf is set to âyesâ (the default) then any subsequent SIP responses with SDP from a forked destination can trigger this crash. If a 200 OK with SDP is received from a forked destination it can also trigger this crash, even if the âfollow_early_media_forkâ option is not set to âyesâ. In all cases this relies on a race condition with tight timing where the second SDP negotiation occurs before termination of the call due to the initial SDP negotiation failure. Modules Affected res_pjsip_session.c, PJSIP Resolution The issue has been fixed in PJSIP by changing the behavior of the pjmedia_sdp_neg_modify_local_offer2 function. If SDP was previously negotiated the code no longer assumes that it was successful and instead checks that SDP was negotiated. This issue can only be resolved by upgrading to a fixed version or applying the provided patch. Affected Versions Product Release Series Asterisk Open Source 13.x All versions Asterisk Open Source 16.x All versions Asterisk Open Source 17.x All versions Asterisk Open Source 18.x All versions Certified Asterisk 16.x All versions Corrected In Product Release Asterisk Open Source 13.38.2, 16.16.1, 17.9.2, 18.2.1 Certified Asterisk 16.8-cert6 Patches Patch URL Revision
[asterisk-users] AST-2021-004: An unsuspecting user could crash Asterisk with multiple hold/unhold requests
Asterisk Project Security Advisory - AST-2021-004 ProductAsterisk SummaryAn unsuspecting user could crash Asterisk with multiple hold/unhold requests Nature of Advisory Denial of Service SusceptibilityRemote authenticated sessions Severity Moderate Exploits KnownNo Reported On December 9, 2020 Reported By Edvin Vidmar Posted On Last Updated OnFebruary 11, 2021 Advisory Contact gjoseph AT sangoma DOT com CVE Name CVE-2021-26714 Description Due to a signedness comparison mismatch, an authenticated WebRTC client could cause a stack overflow and Asterisk crash by sending multiple hold/unhold requests in quick succession. Modules Affected res_rtp_asterisk.c ResolutionThe packet size comparison terms have been corrected. Affected Versions Product Release Series Asterisk Open Source 16.x 16.16.0 Asterisk Open Source 17.x 17.9.1 Asterisk Open Source 18.x 18.2.0 Certified Asterisk 16.x 16.8-cert5 Corrected In Product Release Asterisk Open Source 16.16.1, 17.9.2, 18.2.1 Certified Asterisk 16.8-cert6 Patches Patch URL Revision https:/downloads.asterisk.org/pub/security/AST-2021-004-16.diff Asterisk 16 https:/downloads.asterisk.org/pub/security/AST-2021-004-17.diff Asterisk 17 https:/downloads.asterisk.org/pub/security/AST-2021-004-18.diff Asterisk 18 https:/downloads.asterisk.org/pub/security/AST-2021-004-16.8.diff Certified Asterisk 16.8-cert6 Links https://issues.asterisk.org/jira/browse/ASTERISK-29205 https://downloads.asterisk.org/pub/security/AST-2021-004.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2021-004.pdf and https://downloads.digium.com/pub/security/AST-2021-004.html Revision History Date Editor Revisions Made February 4, 2021 George Joseph Initial revision February 9, 2021 George Joseph Added CVE Asterisk Project Security Advisory - AST-2021-004 Copyright © 2021 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2021-003: Remote attacker could prematurely tear down SRTP calls
Asterisk Project Security Advisory - AST-2021-003 ProductAsterisk SummaryRemote attacker could prematurely tear down SRTP calls Nature of Advisory Denial of Service SusceptibilityRemote unauthenticated sessions Severity Moderate Exploits KnownNo Reported On January 22, 2021 Reported By Alexander Traud Posted On Last Updated OnFebruary 11, 2021 Advisory Contact gjoseph AT sangoma DOT com CVE Name CVE-2021-26712 Description An unauthenticated remote attacker could replay SRTP packets which could cause an Asterisk instance configured without strict RTP validation to tear down calls prematurely. Modules Affected res_srtp.c res_rtp_asterisk.c Resolution Asterisk now implements SRTP replay protection via a âsrtpreplayprotectionâ option in rtp.conf. The default is âyesâ Affected Versions Product Release Series Asterisk Open Source 13.x 13.38.1 Asterisk Open Source 16.x 16.16.0 Asterisk Open Source 17.x 17.9.1 Asterisk Open Source 18.x 18.2.0 Certified Asterisk 16.x 16.8-cert5 Corrected In Product Release Asterisk Open Source 13.38.2, 16.16.1, 17.9.2, 18.2.1 Certified Asterisk 16.8-cert6 Patches Patch URL Revision https:/downloads.asterisk.org/pub/security/AST-2021-003-13.diff 13.38.2 https:/downloads.asterisk.org/pub/security/AST-2021-003-16.diff 16.16.1 https:/downloads.asterisk.org/pub/security/AST-2021-003-17.diff 17.9.2 https:/downloads.asterisk.org/pub/security/AST-2021-003-18.diff 18.2.1 https:/downloads.asterisk.org/pub/security/AST-2021-003-16.8.diff Certified Asterisk 16.8-cert6 Links https://issues.asterisk.org/jira/browse/ASTERISK-29260 https://downloads.asterisk.org/pub/security/AST-2021-003.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2021-003.pdf and https://downloads.digium.com/pub/security/AST-2021-003.html Revision History Date Editor Revisions Made February 4, 2021 George Joseph Initial February 5, 2021 George Joseph Added CVE ID Asterisk Project Security Advisory - AST-2021-003 Copyright © 2021 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2021-002: Remote crash possible when negotiating T.38
Asterisk Project Security Advisory - AST-2021-002 Product Asterisk Summary Remote crash possible when negotiating T.38 Nature of Advisory Denial of service Susceptibility Remote authenticated sessions SeverityMinor Exploits Known No Reported On December 8, 2020 Reported By Gregory Massel Posted On Last Updated On February 5, 2021 Advisory Contactkharwell AT sangoma DOT com CVE NameCVE-2021-26717 Description When re-negotiating for T.38 if the initial remote response was delayed just enough Asterisk would send both audio and T.38 in the SDP. If this happened, and the remote responded with a declined T.38 stream then Asterisk would crash. Modules Affected res_pjsip_session.c, res_pjsip_t38.c Resolution When re-negotiating for T.38, and a delay occurs Asterisk now sends SDP only for the expected T.38 stream. A check was also put in place to ensure an active T.38 media stream is active within Asterisk when attempting to change state for fax. Affected Versions Product Release Series Introduced Asterisk Open Source 16.x 16.15.0 Asterisk Open Source 17.x 17.9.0 Asterisk Open Source 18.x 18.1.0 Certified Asterisk 16.8 16.8-cert4 Corrected In Product Release Asterisk Open Source 16.16.1, 17.9.2, 18.2.1 Certified Asterisk 16.8-cert6 Patches Patch URL Revision https://downloads.asterisk.org/pub/security/AST-2021-002-16.diff Asterisk 16 https://downloads.asterisk.org/pub/security/AST-2021-002-17.diff Asterisk 17 https://downloads.asterisk.org/pub/security/AST-2021-002-18.diff Asterisk 18 https://downloads.asterisk.org/pub/security/AST-2021-002-16.8.diff Certified Asterisk 16.8-cert6 Links https://issues.asterisk.org/jira/browse/ASTERISK-29203 https://downloads.asterisk.org/pub/security/AST-2021-002.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2021-002.pdf and http://downloads.digium.com/pub/security/AST-2021-002.html Revision History Date EditorRevisions Made February 1, 2021 Kevin Harwell Initial revision Asterisk Project Security Advisory - AST-2021-002 Copyright © 2021 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here:
[asterisk-users] AST-2021-001: Remote crash in res_pjsip_diversion
Asterisk Project Security Advisory - AST-2021-001 Product Asterisk Summary Remote crash in res_pjsip_diversion Nature of Advisory Denial of service Susceptibility Remote authenticated sessions SeverityModerate Exploits Known No Reported On December 28 2020 Reported By Ivan Poddubny Posted OnJanuary 04 2021 Last Updated On January 04 2021 Advisory Contactgjoseph AT sangoma DOT com CVE NameCVE-2020-35776 Description If a registered user is tricked into dialing a malicious number that sends lots of 181 responses to Asterisk, each one will cause a 181 to be sent back to the original caller with an increasing number of entries in the âSupportedâ header. Eventually the number of entries in the header exceeds the size of the entry array and causes a crash. Modules Affected res_pjsip_diversion.c Resolution Before updating the âSupportedâ header with a new entry, Asterisk now checks that the entry doesnât already exist and that adding an entry wonât exceed the size of the entry array. Affected Versions Product Release Series Asterisk Open Source 13.X 13.38.1 Asterisk Open Source 16.X 16.15.1 Asterisk Open Source 17.X 17.9.1 Asterisk Open Source 18.X 18.1.1 Corrected In Product Release Asterisk Open Source 13.38.2, 16.16.1, 17.9.2, 18.2.1 Patches Patch URL Revision https://downloads.digium.com/pub/security/AST-2021-001-13.diff 13.38.2 https://downloads.digium.com/pub/security/AST-2021-001-16.diff 16.16.1 https://downloads.digium.com/pub/security/AST-2021-001-17.diff 17.9.2 https://downloads.digium.com/pub/security/AST-2021-001-18.diff 18.2.1 Links https://issues.asterisk.org/jira/browse/ASTERISK-29227 https://downloads.asterisk.org/pub/security/AST-2021-001.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2021-001.pdf and https://downloads.digium.com/pub/security/AST-2021-001.html Revision History Date Editor Revisions Made December 29, 2020 George JosephInitial revision Asterisk Project Security Advisory - AST-2021-001 Copyright © 2020 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2020-004: Remote crash in res_pjsip_diversion
Asterisk Project Security Advisory - AST-2020-004 Product Asterisk Summary Remote crash in res_pjsip_diversion Nature of Advisory Denial of service Susceptibility Remote authenticated sessions SeverityModerate Exploits Known No Reported On December 02, 2020 Reported By Mikhail Ivanov Posted OnDecember 22, 2020 Last Updated On Advisory Contactkharwell AT sangoma DOT com CVE Name Description A crash can occur in Asterisk when a SIP 181 response is received that has a Diversion header, which contains a tel-uri. Modules Affected res_pjsip_diversion.c Resolution Asterisk now ensures that if it receives a SIP 181 response with a Diversion header that contains a tel-uri a crash does not occur. Affected Versions Product Release Series Asterisk Open Source 13.X 13.38.0 Asterisk Open Source 16.X 16.15.0 Asterisk Open Source 17.X 17.9.0 Asterisk Open Source 18.X 18.1.0 Corrected In Product Release Asterisk Open Source 13.38.1, 16.15.1, 17.9.1, 18.1.1 Patches SVN URL Revision The associated patches for AST-2020-003 also Asterisk 13, 16, 17, 18 fix this issue. Links https://issues.asterisk.org/jira/browse/ASTERISK-29191 https://downloads.asterisk.org/pub/security/AST-2020-003.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2020-004.pdf and http://downloads.digium.com/pub/security/AST-2020-004.html Revision History Date Editor Revisions Made December 22, 2020 Kevin HarwellInitial revision Asterisk Project Security Advisory - AST-2020-004 Copyright © 2020 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2020-003: Remote crash in res_pjsip_diversion
Asterisk Project Security Advisory - AST-2020-003 Product Asterisk Summary Remote crash in res_pjsip_diversion Nature of Advisory Denial of service Susceptibility Remote authenticated sessions SeverityModerate Exploits Known Yes Reported On December 22, 2020 Reported By Torrey Searle Posted OnDecember 22, 2020 Last Updated On December 22, 2020 Advisory Contactkharwell AT sangoma DOT com CVE Name Description A crash can occur in Asterisk when a SIP message is received that has a History-Info header, which contains a tel-uri. Note, the remote client must be authenticated, or Asterisk must be configured for anonymous calling in order for this problem to manifest. Modules Affected res_pjsip_diversion.c Resolution Asterisk now ensures that if it receives a SIP message with a History-Info header that contains a tel-uri the redirecting cause is simply set to unknown. Affected Versions Product Release Series Asterisk Open Source 13.X 13.38.0 Asterisk Open Source 16.X 16.15.0 Asterisk Open Source 17.X 17.9.0 Asterisk Open Source 18.X 18.1.0 Corrected In Product Release Asterisk Open Source 13.38.1, 16.15.1, 17.9.1, 18.1.1 Patches SVN URL Revision https://downloads.asterisk.org/pub/security/AST-2020-003-13.diff Asterisk 13 https://downloads.asterisk.org/pub/security/AST-2020-003-16.diff Asterisk 16 https://downloads.asterisk.org/pub/security/AST-2020-003-17.diff Asterisk 17 https://downloads.asterisk.org/pub/security/AST-2020-003-18.diff Asterisk 18 Links https://issues.asterisk.org/jira/browse/ASTERISK-29219 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2020-003.pdf and http://downloads.digium.com/pub/security/AST-2020-003.html Revision History Date Editor Revisions Made December 22, 2020 Kevin HarwellInitial revision Asterisk Project Security Advisory - AST-2020-003 Copyright © 2020 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2020-002: Outbound INVITE loop on challenge with different nonce.
Asterisk Project Security Advisory â AST-2020-002 ProductAsterisk SummaryOutbound INVITE loop on challenge with different nonce. Nature of Advisory Denial of Service SusceptibilityRemote Authenticated Sessions Severity Minor Exploits KnownYes Reported On July 28, 2020 Reported By Sebastian Damm, Ruslan Lazin Posted On November 5, 2020 Last Updated OnNovember 5, 2020 Advisory Contact bford AT sangoma DOT com CVE Name Description If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate (even if the call is hung up), ultimately leading to a restart or shutdown of Asterisk. Outbound authentication must be configured on the endpoint for this to occur. Modules Affected res_pjsip Resolution In the fixed versions of Asterisk, a counter has been added that will automatically stop sending INVITEs after reaching the limit. Affected Versions Product Release Series Asterisk Open Source 13.xAll versions Asterisk Open Source 16.xAll versions Asterisk Open Source 17.xAll versions Asterisk Open Source 18.xAll versions Certified Asterisk 16.8All versions Corrected In Product Release Asterisk Open Source 13.37.1 Asterisk Open Source 16.14.1 Asterisk Open Source17.8.1 Asterisk Open Source18.0.1 Certified Asterisk 16.8-cert5 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2020-002-13.diff Asterisk 13 http://downloads.asterisk.org/pub/security/AST-2020-002-16.diff Asterisk 16 http://downloads.asterisk.org/pub/security/AST-2020-002-17.difAsterisk 17 http://downloads.asterisk.org/pub/security/AST-2020-002-18.difAsterisk 18 http://downloads.asterisk.org/pub/security/AST-2020-002-16.8.diff Certified Asterisk 16.8-cert5 Links https://issues.asterisk.org/jira/browse/ASTERISK-29013 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2020-002.pdf and http://downloads.digium.com/pub/security/AST-2020-002.html Revision History Date EditorRevisions Made November 5, 2020 Ben Ford Initial
[asterisk-users] AST-2020-001: Remote crash in res_pjsip_session
Asterisk Project Security Advisory - AST-2020-001 Product Asterisk Summary Remote crash in res_pjsip_session Nature of Advisory Denial of service Susceptibility Remote authenticated sessions SeverityModerate Exploits Known No Reported On August 31, 2020 Reported By Sandro Gauci Posted OnNovember 5, 2020 Last Updated On November 4, 2020 Advisory Contactkharwell AT sangoma DOT com CVE Name Description Upon receiving a new SIP Invite, Asterisk did not return the created dialog locked or referenced. This caused a âgapâ between the creation of the dialog object, and its next use by the thread that created it. Depending upon some off nominal circumstances, and timing it was possible for another thread to free said dialog in this âgapâ. Asterisk could then crash when the dialog object, or any of its dependent objects were de-referenced, or accessed next by the initial creation thread. Note, however that this crash can only occur when using a connection oriented protocol (e.g. TCP, TLS) for the SIP transport. If you are using UDP then your system should not be affected. As well, the remote client must be authenticated, or Asterisk must be configured for anonymous calling in order for this problem to manifest. Modules Affected res_pjsip.c, res_pjsip_session.c, res_pjsip_pubsub.c Resolution Asterisk now returns the newly created dialog object both locked, and with its reference count increased. The lock, and added reference are then held until such a time it is safe to release both the lock, and decrement the reference count. Affected Versions Product Release Series Asterisk Open Source 13.x All releases Asterisk Open Source 16.x All releases Asterisk Open Source 17.x All releases Asterisk Open Source 18.x All releases Certified Asterisk 16.8 All releases Corrected In Product Release Asterisk Open Source 13.37.1, 16.14.1, 17.8.1, 18.0.1 Certified Asterisk 16.8-cert5 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2020-001-13.diff Asterisk 13 http://downloads.asterisk.org/pub/security/AST-2020-001-16.diff Asterisk 16 http://downloads.asterisk.org/pub/security/AST-2020-001-17.diff Asterisk 17 http://downloads.asterisk.org/pub/security/AST-2020-001-18.diff Asterisk 18 http://downloads.asterisk.org/pub/security/AST-2020-001-16.8.diff Certified Asterisk 16.8-cert5 Links https://issues.asterisk.org/jira/browse/ASTERISK-29057 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security
[asterisk-users] AST-2019-008: Re-invite with T.38 and malformed SDP causes crash.
Asterisk Project Security Advisory - ProductAsterisk SummaryRe-invite with T.38 and malformed SDP causes crash. Nature of Advisory Remote Crash SusceptibilityRemote Authenticated Sessions Severity Minor Exploits KnownNo Reported On November 07, 2019 Reported By Salah Ahmed Posted On November 21, 2019 Last Updated OnNovember 21, 2019 Advisory Contact bford AT sangoma DOT com CVE Name CVE-2019-18976 Description If Asterisk receives a re-invite initiating T.38 faxing and has a port of 0 and no c line in the SDP, a crash will occur. Modules Affected res_pjsip_t38.c Resolution If T.38 faxing is not needed, then the ât38_udptlâ configuration option in pjsip.conf can be set to ânoâ to disable the functionality. This option automatically defaults to ânoâ and would have to be manually turned on to experience this crash. If T.38 faxing is needed, then Asterisk should be upgraded to a fixed version. Affected Versions Product Release Series Asterisk Open Source 13.xAll versions Certified Asterisk 13.21 All versions Corrected In Product Release Asterisk Open Source13.29.2 Certified Asterisk 13.21-cert5 Patches SVN URLRevision http://downloads.asterisk.org/pub/security/AST-2019-008-13.diffAsterisk 13 http://downloads.asterisk.org/pub/security/AST-2019-008-13.21.diff Certified Asterisk 13.21-cert5 Links https://issues.asterisk.org/jira/browse/ASTERISK-28612 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/.pdf and http://downloads.digium.com/pub/security/.html Revision History Date Editor Revisions Made November 12, 2019 Ben Ford Initial Revision November 21, 2019 Ben Ford Added âPosted Onâ date Asterisk Project Security Advisory - Copyright © 2019 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2019-007: AMI user could execute system commands.
Asterisk Project Security Advisory - AST-2019-007 ProductAsterisk SummaryAMI user could execute system commands. Nature of Advisory Remote Code Execution SusceptibilityRemote Authenticated Sessions Severity Minor Exploits KnownNo Reported On October 10, 2019 Reported By Eliel Sardañons Posted On November 21, 2019 Last Updated OnNovember 21, 2019 Advisory Contact gjoseph AT digium DOT com CVE Name CVE-2019-18610 Description A remote authenticated Asterisk Manager Interface (AMI) user without âsystemâ authorization could use a specially crafted âOriginateâ AMI request to execute arbitrary system commands. Modules Affected manager.c Resolution The specific parameters of the Originate AMI request that allowed the remote code execution are now blocked if the user does not have the âsystemâ authorization. Affected Versions Product Release Series Asterisk Open Source 13.xAll releases Asterisk Open Source 16.xAll releases Asterisk Open Source 17.xAll releases Certified Asterisk 13.21 All releases Corrected In Product Release Asterisk Open Source13.29.2 Asterisk Open Source16.6.2 Asterisk Open Source17.0.1 Certified Asterisk 13.21-cert5 Patches SVN URLRevision http://downloads.asterisk.org/pub/security/AST-2019-007-13.diffAsterisk 13 http://downloads.asterisk.org/pub/security/AST-2019-007-16.diffAsterisk 16 http://downloads.asterisk.org/pub/security/AST-2019-007-17.diffAsterisk 17 http://downloads.asterisk.org/pub/security/AST-2019-007-13.21.diff Certified Asterisk 13.21-cert5 Links https://issues.asterisk.org/jira/browse/ASTERISK-28580 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2019-007.pdf and http://downloads.digium.com/pub/security/AST-2019-007.html Revision History DateEditor Revisions Made October 24, 2019 George Joseph Initial Revision November 21, 2019 Ben Ford Added âPosted Onâ date Asterisk Project Security Advisory - AST-2019-007 Copyright © 2019 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2019-006: SIP request can change address of a SIP peer.
Asterisk Project Security Advisory - AST-2019-006 ProductAsterisk SummarySIP request can change address of a SIP peer. Nature of Advisory Denial of Service SusceptibilityRemote Unauthenticated Sessions Severity Minor Exploits KnownNo Reported On October 17, 2019 Reported By Andrey V. T. Posted On November 21, 2019 Last Updated OnNovember 21, 2019 Advisory Contact bford AT sangoma DOT com CVE Name CVE-2019-18790 Description A SIP request can be sent to Asterisk that can change a SIP peerâs IP address. A REGISTER does not need to occur, and calls can be hijacked as a result. The only thing that needs to be known is the peerâs name; authentication details such as passwords do not need to be known. This vulnerability is only exploitable when the ânatâ option is set to the default, or âauto_force_rportâ. Modules Affected channels/chan_sip.c Resolution Using any other option value for ânatâ will prevent the attack (such as ânat=noâ or ânat=force_rportâ), but will need to be tested on an individual basis to ensure that it works for the userâs deployment. On the fixed versions of Asterisk, it will no longer set the address of the peer before authentication is successful when a SIP request comes in. Affected Versions Product Release Series Asterisk Open Source 13.xAll releases Asterisk Open Source 16.xAll releases Asterisk Open Source 17.xAll releases Certified Asterisk 13.21 All releases Corrected In Product Release Asterisk Open Source13.29.2 Asterisk Open Source16.6.2 Asterisk Open Source17.0.1 Certified Asterisk 13.21-cert5 Patches SVN URLRevision http://downloads.asterisk.org/pub/security/AST-2019-006-13.diffAsterisk 13 http://downloads.asterisk.org/pub/security/AST-2019-006-16.diffAsterisk 16 http://downloads.asterisk.org/pub/security/AST-2019-006-17.diffAsterisk 17 http://downloads.asterisk.org/pub/security/AST-2019-006-13.21.diff Certified Asterisk 13.21-cert5 Links https://issues.asterisk.org/jira/browse/ASTERISK-28589 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2019-006.pdf and http://downloads.digium.com/pub/security/AST-2019-006.html Revision History Date Editor Revisions Made October 22, 2019 Ben Ford Initial Revision November 14, 2019 Ben Ford Corrected and updated fields for versioning, and added CVE November 21, 2019 Ben Ford Added âPosted Onâ date
[asterisk-users] AST-2019-005: Remote Crash Vulnerability in audio transcoding
Asterisk Project Security Advisory - AST-2019-005 Product Asterisk Summary Remote Crash Vulnerability in audio transcoding Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated Sessions SeverityMinor Exploits Known No Reported On August 7, 2019 Reported By Gregory Massel Posted On Last Updated On August 26, 2019 Advisory ContactJcolp AT sangoma DOT com CVE NameCVE-2019-15639 Description When audio frames are given to the audio transcoding support in Asterisk the number of samples are examined and as part of this a message is output to indicate that no samples are present. A change was done to suppress this message for a particular scenario in which the message was not relevant. This change assumed that information about the origin of a frame will always exist when in reality it may not. This issue presented itself when an RTP packet containing no audio (and thus no samples) was received. In a particular transcoding scenario this audio frame would get turned into a frame with no origin information. If this new frame was then given to the audio transcoding support a crash would occur as no samples and no origin information would be present. The transcoding scenario requires the âgenericplcâ option to be set to enabled (the default) and a transcoding path from the source format into signed linear and then from signed linear into another format. Note that there may be other scenarios that have not been found which can cause an audio frame with no origin to be given to the audio transcoding support and thus cause a crash. Modules Affected main/translate.c Resolution The âgenericplcâ option can be disabled in codecs.conf to mitigate the described scenario. It is recommended, however, that Asterisk be upgraded to one of the listed versions or the linked patch applied to protect against potential unknown scenarios. Affected Versions Product Release Series Asterisk Open Source 13.x 13.28.0 Asterisk Open Source 16.x 16.5.0 Corrected In Product Release Asterisk Open Source 13.28.1 Asterisk Open Source16.5.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2019-005-13.diff Asterisk 13 http://downloads.asterisk.org/pub/security/AST-2019-005-16.diff Asterisk 16 Links https://issues.asterisk.org/jira/browse/ASTERISK-28499 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at
[asterisk-users] AST-2019-004: Crash when negotiating for T.38 with a declined stream
Asterisk Project Security Advisory - AST-2019-004 ProductAsterisk SummaryCrash when negotiating for T.38 with a declined stream Nature of Advisory Remote Crash SusceptibilityRemote Authenticated Sessions Severity Minor Exploits KnownNo Reported On August 05, 2019 Reported By Alexei Gradinari Posted On September 05, 2019 Last Updated OnSeptember 4, 2019 Advisory Contact kharwell AT sangoma DOT com CVE Name CVE-2019-15297 Description When Asterisk sends a re-invite initiating T.38 faxing, and the endpoint responds with a declined media stream a crash will then occur in Asterisk. Modules Affected res_pjsip_t38.c Resolution If T.38 faxing is not required then setting the ât38_udptlâ configuration option on the endpoint to ânoâ disables this functionality. This option defaults to ânoâ so you have to have explicitly set it âyesâ to potentially be affected by this issue. Otherwise, if T.38 faxing is required then Asterisk should be upgraded to a fixed version. Affected Versions Product Release Series Asterisk Open Source 15.x All releases Asterisk Open Source 16.x All releases Corrected In Product Release Asterisk Open Source 15.7.4,16.5.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2019-004-15.diff Asterisk 15 http://downloads.asterisk.org/pub/security/AST-2019-004-16.diff Asterisk 16 Links https://issues.asterisk.org/jira/browse/ASTERISK-28495 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2019-004.pdf and http://downloads.digium.com/pub/security/AST-2019-004.html Revision History Date Editor Revisions Made August 28, 2019Kevin Harwell Initial revision Asterisk Project Security Advisory - AST-2019-004 Copyright © 2019 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2019-003: Remote Crash Vulnerability in chan_sip channel driver
Asterisk Project Security Advisory - AST-2019-003 ProductAsterisk SummaryRemote Crash Vulnerability in chan_sip channel driver Nature of Advisory Denial of Service SusceptibilityRemote Unauthenticated Sessions Severity Minor Exploits KnownNo Reported On June 28, 2019 Reported By Francesco Castellano Posted On July 1, 2019 Last Updated OnJuly 2, 2019 Advisory Contact Jcolp AT sangoma DOT com CVE Name CVE-2019-13161 Description When T.38 faxing is done in Asterisk a T.38 reinvite may be sent to an endpoint to switch it to T.38. If the endpoint responds with an improperly formatted SDP answer including both a T.38 UDPTL stream and an audio or video stream containing only codecs not allowed on the SIP peer or user a crash will occur. The code incorrectly assumes that there will be at least one common codec when T.38 is also in the SDP answer. This requires Asterisk to initiate a T.38 reinvite which is only done when executing the ReceiveFax dialplan application or performing T.38 passthrough where a remote endpoint has requested T.38. For versions of Asterisk 13 before 13.21.0 and Asterisk 15 before 15.4.0 the âpreferred_codec_onlyâ option must also be set to âyesâ. If set to ânoâ the crash will not occur. Resolution If T.38 faxing is not required this functionality can be disabled by ensuring the ât38pt_udptlâ is set to ânoâ so a T.38 reinvite is not possible. If T.38 faxing is required then Asterisk should be upgraded to a fixed version. The problem can also be limited in scope by enabling T.38 faxing only for endpoints which actually participate in fax. Affected Versions Product Release Series Asterisk Open Source 13.x All releases Asterisk Open Source 15.x All releases Asterisk Open Source 16.x All releases Certified Asterisk 13.21 All releases Corrected In Product Release Asterisk Open Source 13.27.1 Asterisk Open Source15.7.3 Asterisk Open Source16.4.1 Certified Asterisk 13.21-cert4 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2019-003-13.diffAsterisk 13 http://downloads.asterisk.org/pub/security/AST-2019-003-15.diffAsterisk 15 http://downloads.asterisk.org/pub/security/AST-2019-003-16.diffAsterisk 16 http://downloads.asterisk.org/pub/security/AST-2019-003-13.21.diff Certified Asterisk 13.21 Links https://issues.asterisk.org/jira/browse/ASTERISK-28465 Asterisk Project Security Advisories are posted at
[asterisk-users] AST-2019-002: Remote crash vulnerability with MESSAGE messages
Asterisk Project Security Advisory - AST-2019-002 Product Asterisk Summary Remote crash vulnerability with MESSAGE messages Nature of Advisory Denial Of Service Susceptibility Remote Authenticated Sessions SeverityLow Exploits Known No Reported On June 13, 2019 Reported By Gil Richard Posted OnJune 14,2019 Last Updated On George Joseph Advisory Contactgjoseph AT digium DOT com CVE NameCVE-2019-12827 Description A specially crafted SIP in-dialog MESSAGE message can cause Asterisk to crash. Resolution Upgrade Asterisk to a fixed version. Affected Versions Product Release Series Certified Asterisk 13.21-certAll releases Asterisk Open Source 13.x All releases Asterisk Open Source 15.x All releases Asterisk Open Source 16.x All releases Corrected In Product Release Certified Asterisk 13.21-cert4 Asterisk Open Source 13.27.1 Asterisk Open Source15.7.3 Asterisk Open Source16.4.1 Patches SVN URLRevision http://downloads.asterisk.org/pub/security/AST-2019-002-13.21.diff Certified Asterisk 13.21-cert4 http://downloads.asterisk.org/pub/security/AST-2019-002-13.diffAsterisk 13 http://downloads.asterisk.org/pub/security/AST-2019-002-15.diffAsterisk 15 http://downloads.asterisk.org/pub/security/AST-2019-002-16.diffAsterisk 16 Links https://issues.asterisk.org/jira/browse/ASTERISK-28447 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2019-002.pdf and http://downloads.digium.com/pub/security/AST-2019-002.html Revision History Date Editor Revisions Made June 14, 2019 George Joseph Initial revision Asterisk Project Security Advisory - AST-2019-002 Copyright © 2018 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2019-001: Remote crash vulnerability with SDP protocol violation
Asterisk Project Security Advisory - AST-2019-001 ProductAsterisk SummaryRemote crash vulnerability with SDP protocol violation Nature of Advisory Denial Of Service SusceptibilityRemote Authenticated Sessions Severity Low Exploits KnownNo Reported On January 24, 2019 Reported By Sotiris Ganouris Posted On November 14,2018 Last Updated On Advisory Contact gjoseph AT digium DOT com CVE Name CVE-2019-7251 Description When Asterisk makes an outgoing call, a very specific SDP protocol violation by the remote party can cause Asterisk to crash. Resolution Upgrade Asterisk to a fixed version. Affected Versions Product Release Series Asterisk Open Source 15.xAll releases Asterisk Open Source 16.xAll releases Corrected In Product Release Asterisk Open Source15.7.2 Asterisk Open Source16.2.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2019-001-15.diff Asterisk 15 http://downloads.asterisk.org/pub/security/AST-2019-001-16.diff Asterisk 16 Links https://issues.asterisk.org/jira/browse/ASTERISK-28260 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2019-001.pdf and http://downloads.digium.com/pub/security/AST-2019-001.html Revision History Date Editor Revisions Made January 31, 2019 George Joseph Initial revision Asterisk Project Security Advisory - AST-2019-001 Copyright (c) 2018 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2018-010: Remote crash vulnerability DNS SRV and NAPTR lookups
Asterisk Project Security Advisory - AST-2018-010 ProductAsterisk SummaryRemote crash vulnerability DNS SRV and NAPTR lookups Nature of Advisory Denial Of Service SusceptibilityRemote Unauthenticated Sessions Severity Moderate Exploits KnownNo Reported On October 23, 2018 Reported By Jan Hoffmann Posted On Last Updated OnNovember 14, 2018 Advisory Contact gjoseph AT digium DOT com CVE Name Description There is a buffer overflow vulnerability in dns_srv and dns_naptr functions of Asterisk that allows an attacker to crash Asterisk via a specially crafted DNS SRV or NAPTR response. The attackerâs request causes Asterisk to segfault and crash. Resolution Upgrade Asterisk to a fixed version. Affected Versions Product Release Series Asterisk Open Source 15.x All releases Asterisk Open Source 16.x All releases Corrected In Product Release Asterisk Open Source15.6.2 Asterisk Open Source16.0.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2018-010-15.diff Asterisk 15 http://downloads.asterisk.org/pub/security/AST-2018-010-16.diff Asterisk 16 Links https://issues.asterisk.org/jira/browse/ASTERISK-28127 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2018-010.pdf and http://downloads.digium.com/pub/security/AST-2018-010.html Revision History Date Editor Revisions Made October 25, 2018 George Joseph Initial revision Asterisk Project Security Advisory - AST-2018-010 Copyright © 2018 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2018-010:
Asterisk Project Security Advisory - AST-2018-010 ProductAsterisk Remote crash vulnerability DNS SRV and NAPTR lookups Nature of Advisory Denial Of Service SusceptibilityRemote Unauthenticated Sessions Severity Moderate Exploits KnownNo Reported On October 23, 2018 Reported By Jan Hoffmann Posted On Last Updated OnNovember 14, 2018 Advisory Contact gjoseph AT digium DOT com CVE Name Description There is a buffer overflow vulnerability in dns_srv and dns_naptr functions of Asterisk that allows an attacker to crash Asterisk via a specially crafted DNS SRV or NAPTR response. The attackerâs request causes Asterisk to segfault and crash. Resolution Upgrade Asterisk to a fixed version. Affected Versions Product Release Series Asterisk Open Source 15.x All releases Asterisk Open Source 16.x All releases Corrected In Product Release Asterisk Open Source15.6.2 Asterisk Open Source16.0.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2018-010-15.diff Asterisk 15 http://downloads.asterisk.org/pub/security/AST-2018-010-16.diff Asterisk 16 Links https://issues.asterisk.org/jira/browse/ASTERISK-28127 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2018-010.pdf and http://downloads.digium.com/pub/security/AST-2018-010.html Revision History Date Editor Revisions Made October 25, 2018 George Joseph Initial revision Asterisk Project Security Advisory - AST-2018-010 Copyright © 2018 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2018-009: Remote crash vulnerability in HTTP websocket upgrade
Asterisk Project Security Advisory - AST-2018-009 ProductAsterisk SummaryRemote crash vulnerability in HTTP websocket upgrade Nature of Advisory Denial Of Service SusceptibilityRemote Unauthenticated Sessions Severity Moderate Exploits KnownNo Reported On August 16, 2018 Reported By Sean Bright Posted On Last Updated OnSeptember 20, 2018 Advisory Contact Rmudgett AT digium DOT com CVE Name CVE-2018-17281 Description There is a stack overflow vulnerability in the res_http_websocket.so module of Asterisk that allows an attacker to crash Asterisk via a specially crafted HTTP request to upgrade the connection to a websocket. The attackerâs request causes Asterisk to run out of stack space and crash. Resolution Disable HTTP websocket access by not loading the res_http_websocket.so module or upgrade Asterisk to a fixed version. Affected Versions Product Release Series Asterisk Open Source 13.xAll releases Asterisk Open Source 14.xAll releases Asterisk Open Source 15.xAll releases Certified Asterisk 13.21 All releases Corrected In Product Release Asterisk Open Source 13.23.1, 14.7.8, 15.6.1 Certified Asterisk 13.21-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2018-009-13.diffAsterisk 13 http://downloads.asterisk.org/pub/security/AST-2018-009-14.diffAsterisk 14 http://downloads.asterisk.org/pub/security/AST-2018-009-15.diffAsterisk 15 http://downloads.asterisk.org/pub/security/AST-2018-009-13.21.diff Certified Asterisk 13.21 Links https://issues.asterisk.org/jira/browse/ASTERISK-28013 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2018-009.pdf and http://downloads.digium.com/pub/security/AST-2018-009.html Revision History Date EditorRevisions Made August 31, 2018Richard Mudgett Initial revision September 20, 2018 Richard Mudgett Added CVE name. Asterisk Project Security Advisory - AST-2018-009 Copyright © 2018 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing
[asterisk-users] AST-2018-008: PJSIP endpoint presence disclosure when using ACL
Asterisk Project Security Advisory - AST-2018-008 ProductAsterisk SummaryPJSIP endpoint presence disclosure when using ACL Nature of Advisory Unauthorized data disclosure SusceptibilityRemote Unauthenticated Sessions Severity Minor Exploits KnownNo Reported On April 19, 2018 Reported By John Posted On June 11, 2018 Last Updated OnJune 11, 2018 Advisory Contact Rmudgett AT digium DOT com CVE Name Description When endpoint specific ACL rules block a SIP request they respond with a 403 forbidden. However, if an endpoint is not identified then a 401 unauthorized response is sent. This vulnerability just discloses which requests hit a defined endpoint. The ACL rules cannot be bypassed to gain access to the disclosed endpoints. Resolution Endpoint specific ACL rules now respond with a 401 challenge which is the same as if an endpoint were not identified. An alternate is to use global ACL rules to avoid the information disclosure. Affected Versions Product Release Series Asterisk Open Source 13.x13.10.0 and later Asterisk Open Source 14.xAll releases Asterisk Open Source 15.xAll releases Certified Asterisk13.18 All releases Certified Asterisk13.21 All releases Corrected In Product Release Asterisk Open Source 13.21.1, 14.7.7, 15.4.1 Certified Asterisk13.18-cert4, 13.21-cert2 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2018-008-13.diffAsterisk 13 http://downloads.asterisk.org/pub/security/AST-2018-008-14.diffAsterisk 14 http://downloads.asterisk.org/pub/security/AST-2018-008-15.diffAsterisk 15 http://downloads.asterisk.org/pub/security/AST-2018-008-13.18.diff Certified Asterisk 13.18 http://downloads.asterisk.org/pub/security/AST-2018-008-13.21.diff Certified Asterisk 13.21 Links Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2018-008.pdf and http://downloads.digium.com/pub/security/AST-2018-008.html Revision History Date EditorRevisions Made May 1, 2018Richard Mudgett Initial revision June 11, 2018 Richard Mudgett Added Certified Asterisk 13.21 Asterisk Project Security Advisory - AST-2018-008 Copyright (c) 2018 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by
[asterisk-users] AST-2018-007: Infinite loop when reading iostreams
Asterisk Project Security Advisory - AST-2018-007 ProductAsterisk SummaryInfinite loop when reading iostreams Nature of Advisory Denial of Service SusceptibilityRemote Authenticated Sessions Severity Critical Exploits KnownNo Reported On April 16, 2018 Reported By Sean Bright Posted On June 11, 2018 Last Updated OnJune 11, 2018 Advisory Contact Kevin Harwell CVE Name Description When connected to Asterisk via TCP/TLS if the client abruptly disconnects, or sends a specially crafted message then Asterisk gets caught in an infinite loop while trying to read the data stream. Thus rendering the system as unusable. Resolution Stricter error checking is now done when iostreams encounters a problem. When an error occurs during reading it is now properly handled, and continued reading is appropriately stopped. Affected Versions Product Release Series Asterisk Open Source 15.xAll Releases Corrected In Product Release Asterisk Open Source15.4.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2018-007-15.diff Asterisk 15 Links https://issues.asterisk.org/jira/browse/ASTERISK-27807 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2018-007.pdf and http://downloads.digium.com/pub/security/AST-2018-007.html Revision History Date Editor Revisions Made April 25, 2018 Kevin Harwell Initial Revision Asterisk Project Security Advisory - AST-2018-007 Copyright (c) 2018 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2018-006: WebSocket frames with 0 sized payload causes DoS
Asterisk Project Security Advisory - AST-2018-006 ProductAsterisk SummaryWebSocket frames with 0 sized payload causes DoS Nature of Advisory Denial of Service SusceptibilityRemote Unauthenticated Sessions Severity Moderate Exploits KnownNo Reported On February 05, 2018 Reported By Sean Bright Posted On February 21, 2018 Last Updated OnFebruary 21, 2018 Advisory Contact bford AT digium DOT com CVE Name CVE-2018-7287 Description When reading a websocket, the length was not being checked. If a payload of length 0 was read, it would result in a busy loop that waited for the underlying connection to close. Resolution A patch to asterisk is available that checks for payloads of size 0 before attempting to read them. By default, Asterisk does not enable the HTTP server, which means it is not vulnerable to this problem. If the HTTP server is enabled, you can disable it if you do not need it. Otherwise, the patch provided with this security vulnerability can be applied. Either of these approaches will resolve the problem. Affected Versions Product Release Series Asterisk Open Source 15.xAll versions Corrected In Product Release Asterisk Open Source15.2.2 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2018-006-15.diff Asterisk 15 Links https://issues.asterisk.org/jira/browse/ASTERISK-27658 http://downloads.asterisk.org/pub/security/AST-2018-006.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2018-006.pdf and http://downloads.digium.com/pub/security/AST-2018-006.html Revision History Date EditorRevisions Made February 15, 2018 Ben Ford Initial Revision February 21, 2018 Ben Ford Added CVE Name Asterisk Project Security Advisory - AST-2018-006 Copyright © 2018 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2018-005: Crash when large numbers of TCP connections are closed suddenly
Asterisk Project Security Advisory - AST-2018-005 ProductAsterisk SummaryCrash when large numbers of TCP connections are closed suddenly Nature of Advisory Remote Crash SusceptibilityRemote Authenticated Sessions Severity Moderate Exploits KnownNo Reported On January 24, 2018 Reported By Sandro Gauci Posted On February 21, 2018 Last Updated OnFebruary 21, 2018 Advisory Contact gjoseph AT digium DOT com CVE Name CVE-2018-7286 Description A crash occurs when a number of authenticated INVITE messages are sent over TCP or TLS and then the connection is suddenly closed. This issue leads to a segmentation fault. Resolution A patch to asterisk is available that prevents the crash by locking the underlying transport until a response is sent. Affected Versions Product Release Series Asterisk Open Source 13.x All Versions Asterisk Open Source 14.x All Versions Asterisk Open Source 15.x All Versions Certified Asterisk 13.18 All Versions Corrected In Product Release Asterisk Open Source 13.19.2, 14.7.6, 15.2.2 Certified Asterisk 13.18-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2018-005-13.diffAsterisk 13 http://downloads.asterisk.org/pub/security/AST-2018-005-14.diffAsterisk 14 http://downloads.asterisk.org/pub/security/AST-2018-005-15.diffAsterisk 15 http://downloads.asterisk.org/pub/security/AST-2018-005-13.18.diff Certified Asterisk 13.18 Linkshttps://issues.asterisk.org/jira/browse/ASTERISK-27618 http://downloads.asterisk.org/pub/security/AST-2018-005.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2018-005.pdf and http://downloads.digium.com/pub/security/AST-2018-005.html Revision History Date Editor Revisions Made February 6, 2018 George Joseph Initial Revision Asterisk Project Security Advisory - AST-2018-005 Copyright © 2018 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2018-004: Crash when receiving SUBSCRIBE request
Asterisk Project Security Advisory - AST-2018-004 Product Asterisk Summary Crash when receiving SUBSCRIBE request Nature of Advisory Remote Crash Susceptibility Remote Unauthenticated Sessions SeverityMajor Exploits Known No Reported On January 30, 2018 Reported By Sandro Gauci Posted OnFebruary 21, 2018 Last Updated On February 21, 2018 Advisory ContactJoshua Colp CVE Name CVE-2018-7284 Description When processing a SUBSCRIBE request the res_pjsip_pubsub module stores the accepted formats present in the Accept headers of the request. This code did not limit the number of headers it processed despite having a fixed limit of 32. If more than 32 Accept headers were present the code would write outside of its memory and cause a crash. Resolution The res_pjsip_pubsub module has been changed to enforce a limit on the maximum number of Accept headers it will process. To receive this change upgrade to the version of Asterisk where this is resolved or apply the appropriate provided patch. Affected Versions Product Release Series Asterisk Open Source 13.x All versions Asterisk Open Source 14.x All versions Asterisk Open Source 15.x All versions Certified Asterisk 13.18 All versions Corrected In Product Release Asterisk Open Source 13.19.2, 14.7.6, 15.2.2 Certified Asterisk 13.18-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2018-004-13.diffAsterisk 13 http://downloads.asterisk.org/pub/security/AST-2018-004-14.diffAsterisk 14 http://downloads.asterisk.org/pub/security/AST-2018-004-15.diffAsterisk 15 http://downloads.asterisk.org/pub/security/AST-2018-004-13.18.diff Certified Asterisk 13.18 Links https://issues.asterisk.org/jira/browse/ASTERISK-27640 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2018-004.pdf and http://downloads.digium.com/pub/security/AST-2018-004.html Revision History Date Editor Revisions Made February 5, 2018 Joshua Colp Initial Revision February 21, 2018 Joshua Colp Added CVE Asterisk Project Security Advisory - AST-2018-004 Copyright © 2018 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or
[asterisk-users] AST-2018-003: Crash with an invalid SDP fmtp attribute
Asterisk Project Security Advisory - AST-2018-003 ProductAsterisk SummaryCrash with an invalid SDP fmtp attribute Nature of Advisory Remote crash SusceptibilityRemote Authenticated Sessions Severity Minor Exploits KnownNo Reported On January 15, 2018 Reported By Sandro Gauci Posted On February 21, 2018 Last Updated OnFebruary 19, 2018 Advisory Contact Kevin Harwell CVE Name Description By crafting an SDP message body with an invalid fmtp attribute Asterisk crashes when using the pjsip channel driver because pjproject's fmtp retrieval function fails to check if fmtp value is empty (set empty if previously parsed as invalid). The severity of this vulnerability is lessened since an endpoint must be authenticated prior to reaching the crash point, or it's configured with no authentication. Resolution A stricter check is now done when pjproject retrieves the fmtp attribute. Empty values are now properly handled. Affected Versions Product Release Series Asterisk Open Source 13.xAll Releases Asterisk Open Source 14.xAll Releases Asterisk Open Source 15.xAll Releases Certified Asterisk 13.18 All Releases Corrected In Product Release Asterisk Open Source 13.19.2, 14.7.6, 15.2.2 Certified Asterisk 13.18-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2018-003-13.diffAsterisk 13 http://downloads.asterisk.org/pub/security/AST-2018-003-14.diffAsterisk 14 http://downloads.asterisk.org/pub/security/AST-2018-003-15.diffAsterisk 15 http://downloads.asterisk.org/pub/security/AST-2018-003-13.18.diff Certified Asterisk 13.18 Links https://issues.asterisk.org/jira/browse/ASTERISK-27583 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2018-003.pdf and http://downloads.digium.com/pub/security/AST-2018-003.html Revision History Date Editor Revisions Made January 30, 2018 Kevin Harwell Initial Revision Asterisk Project Security Advisory - AST-2018-003 Copyright (c) 2018 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit:
[asterisk-users] AST-2018-002: Crash when given an invalid SDP media format description
Asterisk Project Security Advisory - AST-2018-002 ProductAsterisk SummaryCrash when given an invalid SDP media format description Nature of Advisory Remote crash SusceptibilityRemote Authenticated Sessions Severity Minor Exploits KnownNo Reported On January 15, 2018 Reported By Sandro Gauci Posted On February 21, 2018 Last Updated OnFebruary 19, 2018 Advisory Contact Kevin Harwell CVE Name Description By crafting an SDP message with an invalid media format description Asterisk crashes when using the pjsip channel driver because pjproject's sdp parsing algorithm fails to catch the invalid media format description. The severity of this vulnerability is lessened since an endpoint must be authenticated prior to reaching the crash point, or it's configured with no authentication. Resolution Stricter validation is now done when pjproject parses an SDP's media format description. Invalid values are now properly handled. Affected Versions Product Release Series Asterisk Open Source 13.xAll Releases Asterisk Open Source 14.xAll Releases Asterisk Open Source 15.xAll Releases Certified Asterisk 13.18 All Releases Corrected In Product Release Asterisk Open Source 13.19.2, 14.7.6, 15.2.2 Certified Asterisk 13.18-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2018-002-13.diffAsterisk 13 http://downloads.asterisk.org/pub/security/AST-2018-002-14.diffAsterisk 14 http://downloads.asterisk.org/pub/security/AST-2018-002-15.diffAsterisk 15 http://downloads.asterisk.org/pub/security/AST-2018-002-13.18.diff Certified Asterisk 13.18 Links https://issues.asterisk.org/jira/browse/ASTERISK-27582 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2018-002.pdf and http://downloads.digium.com/pub/security/AST-2018-002.html Revision History Date Editor Revisions Made January 30, 2018 Kevin Harwell Initial Revision Asterisk Project Security Advisory - AST-2018-002 Copyright (c) 2018 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users
[asterisk-users] AST-2018-001: Crash when receiving unnegotiated dynamic payload
Asterisk Project Security Advisory - AST-2018-001 Product Asterisk Summary Crash when receiving unnegotiated dynamic payload Nature of Advisory Remote Crash Susceptibility Remote Unauthenticated Sessions SeverityMajor Exploits Known No Reported On December 18, 2017 Reported By Sébastien Duthil Posted OnFebruary 21, 2018 Last Updated On February 21, 2018 Advisory ContactJoshua Colp CVE Name CVE-2018-7285 Description The RTP support in Asterisk maintains its own registry of dynamic codecs and desired payload numbers. While an SDP negotiation may result in a codec using a different payload number these desired ones are still stored internally. When an RTP packet was received this registry would be consulted if the payload number was not found in the negotiated SDP. This registry was incorrectly consulted for all packets, even those which are dynamic. If the payload number resulted in a codec of a different type than the RTP stream (for example the payload number resulted in a video codec but the stream carried audio) a crash could occur if no stream of that type had been negotiated. This was due to the code incorrectly assuming that a stream of the type would always exist. Resolution The RTP support will now only consult the registry for payloads which are statically defined. The core has also been changed to protect against situations where a frame of media is received for a media type that has not been negotiated. To receive these fixes update to the given version of Asterisk or apply the provided patch. There is no configuration which can protect against this vulnerability. Affected Versions Product Release Series Asterisk Open Source 13.x Unaffected Asterisk Open Source 14.x Unaffected Asterisk Open Source 15.x All versions Certified Asterisk 13.18 Unaffected Corrected In Product Release Asterisk Open Source15.2.2 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2018-001-15.diff Asterisk 15 Links https://issues.asterisk.org/jira/browse/ASTERISK-27488 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2018-001.pdf and http://downloads.digium.com/pub/security/AST-2018-001.html Revision History Date Editor Revisions Made January 15, 2018 Joshua Colp Initial Revision February 21, 2018 Joshua Colp Added CVE Asterisk Project Security Advisory - AST-2018-001 Copyright © 2018 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. --
[asterisk-users] AST-2017-014: Crash in PJSIP resource when missing a contact header
Asterisk Project Security Advisory - AST-2017-014 ProductAsterisk SummaryCrash in PJSIP resource when missing a contact header Nature of Advisory Remote Crash SusceptibilityRemote Unauthenticated Sessions Severity Moderate Exploits KnownNo Reported On December 12, 2017 Reported By Ross Beer Posted On Last Updated OnDecember 22, 2017 Advisory Contact Kevin Harwell CVE Name Description A select set of SIP messages create a dialog in Asterisk. Those SIP messages must contain a contact header. For those messages, if the header was not present and using the PJSIP channel driver, it would cause Asterisk to crash. The severity of this vulnerability is somewhat mitigated if authentication is enabled. If authentication is enabled a user would have to first be authorized before reaching the crash point. Resolution When using the Asterisk PJSIP resource, and one of the SIP messages that create a dialog is received Asterisk now checks to see if the message contains a contact header. If it does not Asterisk now responds with a "400 Missing Contact header". Affected Versions Product Release Series Asterisk Open Source 13.xAll versions Asterisk Open Source 14.xAll versions Asterisk Open Source 15.xAll versions Certified Asterisk 13.18 All versions Corrected In Product Release Asterisk Open Source 13.18.5, 14.7.5, 15.1.5 Certified Asterisk 13.18-cert2 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2017-014-13.diffAsterisk 13 http://downloads.asterisk.org/pub/security/AST-2017-014-14.diffAsterisk 14 http://downloads.asterisk.org/pub/security/AST-2017-014-15.diffAsterisk 15 http://downloads.asterisk.org/pub/security/AST-2017-014-13.18.diff Certified Asterisk 13.18 Links https://issues.asterisk.org/jira/browse/ASTERISK-27480 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2017-014.pdf and http://downloads.digium.com/pub/security/AST-2017-014.html Revision History Date Editor Revisions Made December 20, 2017Kevin Harwell Initial Revision Asterisk Project Security Advisory - AST-2017-014 Copyright (c) 2017 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to
[asterisk-users] AST-2017-012: Remote Crash Vulnerability in RTCP Stack
Asterisk Project Security Advisory - AST-2017-012 Product Asterisk Summary Remote Crash Vulnerability in RTCP Stack Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated Sessions SeverityModerate Exploits Known No Reported On October 30, 2017 Reported By Tzafrir Cohen and Vitezslav Novy Posted OnDecember 13, 2017 Last Updated On December 12, 2017 Advisory ContactJcolp AT digium DOT com CVE Name Description If a compound RTCP packet is received containing more than one report (for example a Receiver Report and a Sender Report) the RTCP stack will incorrectly store report information outside of allocated memory potentially causing a crash. For all versions of Asterisk this vulnerability requires an active call to be established. For versions of Asterisk 13.17.2, 14.6.2, 15.0.0, 13.13-cert6 and greater an additional level of security is placed upon RTCP packets. If the probation period for incoming RTP traffic has passed any received RTCP packets must contain the same SSRC as the RTP traffic. If the RTCP packets do not then they are dropped. This ensures other parties can not inject RTCP packets without they themselves establishing an active call. Resolution The RTCP stack has been changed so the report information is always stored in allocated memory. The provided patches can be applied to the appropriate version or the latest version of Asterisk can be installed to receive the fix. Affected Versions Product Release Series Asterisk Open Source 13.x All Versions Asterisk Open Source 14.x All Versions Asterisk Open Source 15.x All Versions Certified Asterisk 13.13 All Versions Corrected In Product Release Asterisk Open Source 13.18.4, 14.7.4, 15.1.4 Certified Asterisk 13.13-cert9 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2017-012-13.diffAsterisk 13 http://downloads.asterisk.org/pub/security/AST-2017-012-14.diffAsterisk 14 http://downloads.asterisk.org/pub/security/AST-2017-012-15.diffAsterisk 15 http://downloads.asterisk.org/pub/security/AST-2017-012-13.13.diff Certified Asterisk 13.13 Links https://issues.asterisk.org/jira/browse/ASTERISK-27382 https://issues.asterisk.org/jira/browse/ASTERISK-27429 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2017-012.pdf and http://downloads.digium.com/pub/security/AST-2017-012.html
[asterisk-users] AST-2017-013: DOS Vulnerability in Asterisk chan_skinny
Asterisk Project Security Advisory - AST-2017-013 Product Asterisk Summary DOS Vulnerability in Asterisk chan_skinny Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated Sessions SeverityModerate Exploits Known Yes Reported On November 30, 2017 Reported By Juan Sacco Posted OnDecember 1, 2017 Last Updated On December 1, 2017 Advisory Contactgjoseph AT digium DOT com CVE Name Description If the chan_skinny (AKA SCCP protocol) channel driver is flooded with certain requests it can cause the asterisk process to use excessive amounts of virtual memory eventually causing asterisk to stop processing requests of any kind. Resolution The chan_skinny driver has been updated to release memory allocations in a correct manner thereby preventing any possiblity of exhaustion. Affected Versions Product Release Series Asterisk Open Source 13.x All Versions Asterisk Open Source 14.x All Versions Asterisk Open Source 15.x All Versions Certified Asterisk 13.13 All Versions Corrected In Product Release Asterisk Open Source 13.18.3, 14.7.3, 15.1.3 Certified Asterisk 13.13-cert8 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2017-013-13.diffAsterisk 13 http://downloads.asterisk.org/pub/security/AST-2017-013-14.diffAsterisk 14 http://downloads.asterisk.org/pub/security/AST-2017-013-15.diffAsterisk 15 http://downloads.asterisk.org/pub/security/AST-2017-013-13.13.diff Certified Asterisk 13.13 Links https://issues.asterisk.org/jira/browse/ASTERISK-27452 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2017-013.pdf and http://downloads.digium.com/pub/security/AST-2017-013.html Revision History Date Editor Revisions Made November 30, 2017 George Joseph Initial Revision Asterisk Project Security Advisory - AST-2017-013 Copyright © 2017 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] :
The Asterisk Development Team has announced security releases for Certified Asterisk 13.13 and Asterisk 13, 14 and 15. The available security releases are released as versions 13.13-cert8, 13.18.3, 14.7.3 and 15.1.3. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases The release of these versions resolves the following security vulnerabilities: * AST-2017-013: DOS Vulnerability in Asterisk chan_skinny If the chan_skinny (AKA SCCP protocol) channel driver is flooded with certain requests it can cause the asterisk process to use excessive amounts of virtual memory eventually causing asterisk to stop processing requests of any kind. For a full list of changes in the current releases, please see the ChangeLogs: http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.18.3 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog=14.7.3 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-15.1.3 http://downloads.asterisk.org/pub/telephony/certified-asterisk/ChangeLog-certified-13.13-cert8 The security advisories are available at: http://downloads.asterisk.org/pub/security/AST-2017-013.pdf Thank you for your continued support of Asterisk! -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2017-011: Memory leak in pjsip session resource
Asterisk Project Security Advisory - AST-2017-011 ProductAsterisk SummaryMemory leak in pjsip session resource Nature of Advisory Memory leak SusceptibilityRemote Sessions Severity Minor Exploits KnownNo Reported On October 15, 2017 Reported By Correy Farrell Posted On Last Updated OnOctober 19, 2017 Advisory Contact kharwell AT digium DOT com CVE Name Description A memory leak occurs when an Asterisk pjsip session object is created and that call gets rejected before the session itself is fully established. When this happens the session object never gets destroyed. Resolution Asterisk now releases the session object and all associated memory when a call gets rejected. Affected Versions Product Release Series Asterisk Open Source 13.x13.5.0+ Asterisk Open Source 14.xAll Releases Asterisk Open Source 15.xAll Releases Certified Asterisk 13.13 All Releases Corrected In Product Release Asterisk Open Source 13.18.1, 14.7.1, 15.1.1 Certified Asterisk 13.13-cert7 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2017-011-13.diffAsterisk 13 http://downloads.asterisk.org/pub/security/AST-2017-011-14.diffAsterisk 14 http://downloads.asterisk.org/pub/security/AST-2017-011-15.diffAsterisk 15 http://downloads.asterisk.org/pub/security/AST-2017-011-13.13.diff Certified Asterisk 13.13 Links https://issues.asterisk.org/jira/browse/ASTERISK-27345 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2017-011.pdf and http://downloads.digium.com/pub/security/AST-2017-011.html Revision History Date Editor Revisions Made October 19, 2017 Kevin Harwell Initial Revision Asterisk Project Security Advisory - AST-2017-011 Copyright (c) 2017 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2017-010: Buffer overflow in CDR's set user
Asterisk Project Security Advisory - AST-2017-010 ProductAsterisk SummaryBuffer overflow in CDR's set user Nature of Advisory Buffer Overflow SusceptibilityRemote Authenticated Sessions Severity Moderate Exploits KnownNo Reported On October 9, 2017 Reported By Richard Mudgett Posted On Last Updated OnOctober 25, 2017 Advisory Contact Rmudgett AT digium DOT com CVE Name Description No size checking is done when setting the user field for Party B on a CDR. Thus, it is possible for someone to use an arbitrarily large string and write past the end of the user field storage buffer. The earlier AST-2017-001 advisory for the CDR user field overflow was for the Party A buffer. This currently affects any system using CDR's that also make use of the following: * The 'X-ClientCode' header within a SIP INFO message when using chan_sip and the 'useclientcode' option is enabled (note, it's disabled by default). * The CDR dialplan function executed from AMI when setting the user field. * The AMI Monitor action when using a long file name/path. Resolution The CDR engine now only copies up to the maximum allowed characters into the user field. Any characters outside the maximum are truncated. Affected Versions Product Release Series Asterisk Open Source 13.xAll Releases Asterisk Open Source 14.xAll Releases Asterisk Open Source 15.xAll Releases Certified Asterisk 13.13 All Releases Corrected In Product Release Asterisk Open Source 13.18.1, 14.7.1, 15.1.1 Certified Asterisk 13.13-cert7 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2017-010-13.diffAsterisk 13 http://downloads.asterisk.org/pub/security/AST-2017-010-14.diffAsterisk 14 http://downloads.asterisk.org/pub/security/AST-2017-010-15.diffAsterisk 15 http://downloads.asterisk.org/pub/security/AST-2017-010-13.13.diff Certified Asterisk 13.13 Links https://issues.asterisk.org/jira/browse/ASTERISK-27337 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2017-010.pdf and
[asterisk-users] AST-2017-009: Buffer overflow in pjproject header parsing can cause crash in Asterisk
Asterisk Project Security Advisory - AST-2017-009 ProductAsterisk SummaryBuffer overflow in pjproject header parsing can cause crash in Asterisk Nature of Advisory Denial of Service SusceptibilityRemote Unauthenticated Sessions Severity Critical Exploits KnownNo Reported On October 5, 2017 Reported By Youngsung Kim at LINE Corporation Posted On Last Updated OnOctober 25, 2017 Advisory Contact gjoseph AT digium DOT com CVE Name Description By carefully crafting invalid values in the Cseq and the Via header port, pjprojectâs packet parsing code can create strings larger than the buffer allocated to hold them. This will usually cause Asterisk to crash immediately. The packets do not have to be authenticated. Resolution Stricter validation is now done on strings that represent numeric values before they are converted to intrinsic types. Invalid values now cause packet processing to stop and error messages to be emitted. Affected Versions Product Release Series Asterisk Open Source 13.x All Releases Asterisk Open Source 14.x All Releases Asterisk Open Source 15.x All Releases Certified Asterisk 13.13 All Releases Corrected In Product Release Asterisk Open Source 13.18.1, 14.7.1, 15.1.1 Certified Asterisk 13.13-cert7 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2017-009-13.diffAsterisk 13 http://downloads.asterisk.org/pub/security/AST-2017-009-14.diffAsterisk 14 http://downloads.asterisk.org/pub/security/AST-2017-009-15.diffAsterisk 15 http://downloads.asterisk.org/pub/security/AST-2017-009-13.13.diff Certified Asterisk 13.13 Links https://issues.asterisk.org/jira/browse/ASTERISK-27319 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2017-009.pdf and http://downloads.digium.com/pub/security/AST-2017-009.html Revision History Date Editor Revisions Made October 25, 2017 George Joseph Initial Revision Asterisk Project Security Advisory - AST-2017-009 Copyright © 2017 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2017-008: RTP/RTCP information leak
Asterisk Project Security Advisory - AST-2017-008 ProductAsterisk SummaryRTP/RTCP information leak Nature of Advisory Unauthorized data disclosure SusceptibilityRemote Unauthenticated Sessions Severity Critical Exploits KnownYes Reported On September 1, 2017 Reported By Klaus-Peter Junghanns Posted On September 19, 2017 Last Updated OnSeptember 19, 2017 Advisory Contact Richard Mudgett CVE Name CVE-2017-14099 Description This is a follow up advisory to AST-2017-005. Insufficient RTCP packet validation could allow reading stale buffer contents and when combined with the ânatâ and âsymmetric_rtpâ options allow redirecting where Asterisk sends the next RTCP report. The RTP stream qualification to learn the source address of media always accepted the first RTP packet as the new source and allowed what AST-2017-005 was mitigating. The intent was to qualify a series of packets before accepting the new source address. Resolution The RTP/RTCP stack will now validate RTCP packets before processing them. Packets failing validation are discarded. RTP stream qualification now requires the intended series of packets from the same address without seeing packets from a different source address to accept a new source address. Affected Versions Product Release Series Asterisk Open Source 11.xAll Releases Asterisk Open Source 13.xAll Releases Asterisk Open Source 14.xAll Releases Certified Asterisk 11.6All Releases Certified Asterisk 13.13 All Releases Corrected In Product Release Asterisk Open Source 11.25.3, 13.17.2, 14.6.2 Certified Asterisk11.6-cert18, 13.13-cert6 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2017-008-11.diffAsterisk 11 http://downloads.asterisk.org/pub/security/AST-2017-008-13.diffAsterisk 13 http://downloads.asterisk.org/pub/security/AST-2017-008-14.diffAsterisk 14 http://downloads.asterisk.org/pub/security/AST-2017-008-11.6.diff Certified Asterisk 11.6 http://downloads.asterisk.org/pub/security/AST-2017-008-13.13.diff Certified Asterisk 13.13 Links https://issues.asterisk.org/jira/browse/ASTERISK-27274 https://issues.asterisk.org/jira/browse/ASTERISK-27252 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at
[asterisk-users] AST-2017-007: Remote Crash Vulerability in res_pjsip
Asterisk Project Security Advisory - AST-2017-007 ProductAsterisk SummaryRemote Crash Vulerability in res_pjsip Nature of Advisory Denial of Service SusceptibilityRemote Unauthenticated Sessions Severity Moderate Exploits KnownNo Reported On August 30, 2017 Reported By Ross Beer Posted On Last Updated OnAugust 30, 2017 Advisory Contact George Joseph CVE Name Description A carefully crafted URI in a From, To or Contact header could cause Asterisk to crash. Resolution Patched pjsip_message_ip_updater to properly ignore the trigger URI. Affected Versions Product Release Series Asterisk Open Source 13.15.0 Asterisk Open Source14.4.0 Corrected In Product Release Asterisk Open Source13.17.1, 14.6.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2017-007-13.diff Asterisk 13 http://downloads.asterisk.org/pub/security/AST-2017-007-14.diff Asterisk 14 Links https://issues.asterisk.org/jira/browse/ASTERISK-27152 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/.pdf and http://downloads.digium.com/pub/security/.html Revision History Date Editor Revisions Made August 30, 2017 George Joseph Initial document created Asterisk Project Security Advisory - Copyright (c) 2017 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2017-005: Media takeover in RTP stack
Asterisk Project Security Advisory - AST-2017-005 ProductAsterisk SummaryMedia takeover in RTP stack Nature of Advisory Unauthorized data disclosure SusceptibilityRemote Unauthenticated Sessions Severity Critical Exploits KnownNo Reported On May 17, 2017 Reported By Klaus-Peter Junghanns Posted On Last Updated OnAugust 30, 2017 Advisory Contact Joshua Colp CVE Name Description The "strictrtp" option in rtp.conf enables a feature of the RTP stack that learns the source address of media for a session and drops any packets that do not originate from the expected address. This option is enabled by default in Asterisk 11 and above. The "nat" and "rtp_symmetric" options for chan_sip and chan_pjsip respectively enable symmetric RTP support in the RTP stack. This uses the source address of incoming media as the target address of any sent media. This option is not enabled by default but is commonly enabled to handle devices behind NAT. A change was made to the strict RTP support in the RTP stack to better tolerate late media when a reinvite occurs. When combined with the symmetric RTP support this introduced an avenue where media could be hijacked. Instead of only learning a new address when expected the new code allowed a new source address to be learned at all times. If a flood of RTP traffic was received the strict RTP support would allow the new address to provide media and with symmetric RTP enabled outgoing traffic would be sent to this new address, allowing the media to be hijacked. Provided the attacker continued to send traffic they would continue to receive traffic as well. Resolution The RTP stack will now only learn a new source address if it has been told to expect the address to change. The RTCP support has now also been updated to drop RTCP reports that are not regarding the RTP session currently in progress. The strict RTP learning progress has also been improved to guard against a flood of RTP packets attempting to take over the media stream. Affected Versions Product Release Series Asterisk Open Source 11.x11.4.0 Asterisk Open Source 13.xAll Releases Asterisk Open Source 14.xAll Releases Certified Asterisk 11.6All Releases Certified Asterisk 13.13 All Releases Corrected In Product Release Asterisk Open Source 11.25.2, 13.17.1, 14.6.1 Certified Asterisk11.6-cert17, 13.13-cert5 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2017-005-11.diffAsterisk 11 http://downloads.asterisk.org/pub/security/AST-2017-005-13.diffAsterisk 13 http://downloads.asterisk.org/pub/security/AST-2017-005-14.diffAsterisk 14
[asterisk-users] AST-2017-006: Shell access command injection in app_minivm
Asterisk Project Security Advisory - AST-2017-006 ProductAsterisk SummaryShell access command injection in app_minivm Nature of Advisory Unauthorized command execution SusceptibilityRemote Authenticated Sessions Severity Moderate Exploits KnownNo Reported On July 1, 2017 Reported By Corey Farrell Posted On Last Updated OnJuly 11, 2017 Advisory Contact Richard Mudgett CVE Name Description The app_minivm module has an âexternnotifyâ program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from an untrusted source, a crafted caller-id name or number allows an arbitrary shell command injection. Resolution Patched Asteriskâs app_minivm module to use a different system call that passes argument strings in an array instead of having the OS shell determine the application parameter boundaries. Affected Versions Product Release Series Asterisk Open Source 11.xAll releases Asterisk Open Source 13.xAll releases Asterisk Open Source 14.xAll releases Certified Asterisk 11.6All releases Certified Asterisk 13.13 All releases Corrected In Product Release Asterisk Open Source 11.25.2, 13.17.1, 14.6.1 Certified Asterisk11.6-cert17, 13.13-cert5 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2017-006-11.diffAsterisk 11 http://downloads.asterisk.org/pub/security/AST-2017-006-13.diffAsterisk 13 http://downloads.asterisk.org/pub/security/AST-2017-006-14.diffAsterisk 14 http://downloads.asterisk.org/pub/security/AST-2017-006-11.6.diff Certified Asterisk 11.6 http://downloads.asterisk.org/pub/security/AST-2017-006-13.13.diff Certified Asterisk 13.13 Links https://issues.asterisk.org/jira/browse/ASTERISK-27103 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2017-006.pdf and http://downloads.digium.com/pub/security/AST-2017-006.html Revision History Date EditorRevisions Made July 11, 2017 Richard Mudgett Initial document created Asterisk Project Security Advisory - AST-2017-006 Copyright © 2017 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. --
[asterisk-users] AST-2017-004: Memory exhaustion on short SCCP packets
Asterisk Project Security Advisory - AST-2017-004 Product Asterisk Summary Memory exhaustion on short SCCP packets Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated Sessions SeverityCritical Exploits Known No Reported On April 13, 2017 Reported By Sandro Gauci Posted On Last Updated On April 13, 2017 Advisory ContactGeorge Joseph CVE Name Description A remote memory exhaustion can be triggered by sending an SCCP packet to Asterisk system with âchan_skinnyâ enabled that is larger than the length of the SCCP header but smaller than the packet length specified in the header. The loop that reads the rest of the packet doesnât detect that the call to read() returned end-of-file before the expected number of bytes and continues infinitely. The âpartial dataâ message logging in that tight loop causes Asterisk to exhaust all available memory. Resolution If support for the SCCP protocol is not required, remove or disable the module. If support for SCCP is required, an upgrade to Asterisk will be necessary. Affected Versions Product Release Series Asterisk Open Source 11.x Unaffected Asterisk Open Source 13.x All versions Asterisk Open Source 14.x All versions Certified Asterisk 13.13 All versions Corrected In Product Release Asterisk Open Source 13.15.1, 14.4.1 Certified Asterisk 13.13-cert4 Patches SVN URL Revision Links Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/.pdf and http://downloads.digium.com/pub/security/.html Revision History DateEditor Revisions Made 13 April 2017 George Joseph Initial report created Asterisk Project Security Advisory - Copyright © 2017 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2017-002: Buffer Overrun in PJSIP transaction layer
Asterisk Project Security Advisory - AST-2017-002 ProductAsterisk SummaryBuffer Overrun in PJSIP transaction layer Nature of Advisory Buffer Overrun/Crash SusceptibilityRemote Unauthenticated Sessions Severity Critical Exploits KnownNo Reported On 12 April, 2017 Reported By Sandro Gauci Posted On Last Updated OnApril 13, 2017 Advisory Contact Mark Michelson CVE Name Description A remote crash can be triggered by sending a SIP packet to Asterisk with a specially crafted CSeq header and a Via header with no branch parameter. The issue is that the PJSIP RFC 2543 transaction key generation algorithm does not allocate a large enough buffer. By overrunning the buffer, the memory allocation table becomes corrupted, leading to an eventual crash. This issue is in PJSIP, and so the issue can be fixed without performing an upgrade of Asterisk at all. However, we are releasing a new version of Asterisk with the bundled PJProject updated to include the fix. If you are running Asterisk with chan_sip, this issue does not affect you. Resolution A patch created by the Asterisk team has been submitted and accepted by the PJProject maintainers. Affected Versions Product Release Series Asterisk Open Source 11.xUnaffected Asterisk Open Source 13.xAll versions Asterisk Open Source 14.xAll versions Certified Asterisk 13.13 All versions Corrected In Product Release Asterisk Open Source13.15.1, 14.4.1 Certified Asterisk 13.13-cert4 Patches SVN URL Revision Links https://issues.asterisk.org/jira/browse/ASTERISK-26938 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2017-002.pdf and http://downloads.digium.com/pub/security/AST-2017-002.html Revision History Date Editor Revisions Made 12 April, 2017 Mark Michelson Initial report created Asterisk Project Security Advisory - AST-2017-002 Copyright (c) 2017 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2017-003: Crash in PJSIP multi-part body parser
Asterisk Project Security Advisory - AST-2017-003 ProductAsterisk SummaryCrash in PJSIP multi-part body parser Nature of Advisory Remote Crash SusceptibilityRemote Unauthenticated Sessions Severity Critical Exploits KnownNo Reported On 13 April, 2017 Reported By Sandro Gauci Posted On Last Updated OnApril 13, 2017 Advisory Contact Mark Michelson CVE Name Description The multi-part body parser in PJSIP contains a logical error that can make certain multi-part body parts attempt to read memory from outside the allowed boundaries. A specially-crafted packet can trigger these invalid reads and potentially induce a crash. The issue is within the PJSIP project and not in Asterisk. Therefore, the problem can be fixed without upgrading Asterisk. However, we will be releasing a new version of Asterisk where the bundled version of PJSIP has been updated to have the bug patched. If you are using Asterisk with chan_sip, this issue does not affect you. Resolution We have submitted the error report to the PJProject maintainers and have coordinated a release... Affected Versions Product Release Series Asterisk Open Source 11.xUnaffected Asterisk Open Source 13.xAll versions Asterisk Open Source 14.xAll versions Certified Asterisk 13.13 All versions Corrected In Product Release Asterisk Open Source13.15.1, 14.4.1 Certified Asterisk 13.13-cert4 Patches SVN URL Revision Links https://issues.asterisk.org/jira/browse/ASTERISK-26939 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2017-003.pdf and http://downloads.digium.com/pub/security/AST-2017-003.html Revision History Date Editor Revisions Made 13 April, 2017 Mark Michelson Initial advisory created Asterisk Project Security Advisory - AST-2017-003 Copyright (c) 2017 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2017-001: Buffer overflow in CDR's set user
Asterisk Project Security Advisory - AST-2017-001 ProductAsterisk SummaryBuffer overflow in CDR's set user Nature of Advisory Buffer Overflow SusceptibilityRemote Authenticated Sessions Severity Moderate Exploits KnownNo Reported On March 27, 2017 Reported By Alex Villacis Lasso Posted On Last Updated OnApril 4, 2017 Advisory Contact kharwell AT digium DOT com CVE Name Description No size checking is done when setting the user field on a CDR. Thus, it is possible for someone to use an arbitrarily large string and write past the end of the user field storage buffer. This allows the possibility of remote code injection. This currently affects any system using CDR's that also make use of the following: * The 'X-ClientCode' header within a SIP INFO message when using chan_sip and the 'useclientcode' option is enabled (note, it's disabled by default). * The CDR dialplan function executed from AMI when setting the user field. * The AMI Monitor action when using a long file name/path. Resolution The CDR engine now only copies up to the maximum allowed characters into the user field. Any characters outside the maximum are truncated. Affected Versions Product Release Series Asterisk Open Source 13.xAll Releases Asterisk Open Source 14.xAll Releases Certified Asterisk 13.13 All Releases Corrected In Product Release Asterisk Open Source13.14.1,14.3.1 Certified Asterisk 13.13-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2017-001-13.diffAsterisk 13 http://downloads.asterisk.org/pub/security/AST-2017-001-14.diffAsterisk 14 http://downloads.asterisk.org/pub/security/AST-2017-001-13.13.diff Certified Asterisk 13.13 Links https://issues.asterisk.org/jira/browse/ASTERISK-26897 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2017-001.pdf and http://downloads.digium.com/pub/security/AST-2017-001.html Revision History Date Editor Revisions Made March, 27, 2017 Kevin Harwell Initial Revision Asterisk Project Security Advisory - AST-2017-001
[asterisk-users] AST-2016-009:
Asterisk Project Security Advisory - ASTERISK-2016-009 ProductAsterisk Summary Nature of Advisory Authentication Bypass SusceptibilityRemote unauthenticated sessions Severity Minor Exploits KnownNo Reported On October 3, 2016 Reported By Walter Doekes Posted On Last Updated OnDecember 8, 2016 Advisory Contact Mmichelson AT digium DOT com CVE Name Description The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace. This means that headers such as Contact\x01: will be seen as a valid Contact header. This mostly does not pose a problem until Asterisk is placed in tandem with an authenticating SIP proxy. In such a case, a crafty combination of valid and invalid To headers can cause a proxy to allow an INVITE request into Asterisk without authentication since it believes the request is an in-dialog request. However, because of the bug described above, the request will look like an out-of-dialog request to Asterisk. Asterisk will then process the request as a new call. The result is that Asterisk can process calls from unvetted sources without any authentication. If you do not use a proxy for authentication, then this issue does not affect you. If your proxy is dialog-aware (meaning that the proxy keeps track of what dialogs are currently valid), then this issue does not affect you. If you use chan_pjsip instead of chan_sip, then this issue does not affect you. Resolution chan_sip has been patched to only treat spaces and horizontal tabs as whitespace following a header name. This allows for Asterisk and authenticating proxies to view requests the same way Affected Versions Product Release Series Asterisk Open Source 11.xAll Releases Asterisk Open Source 13.xAll Releases Asterisk Open Source 14.xAll Releases Certified Asterisk 13.8All Releases Corrected In Product Release Asterisk Open Source 11.25.1, 13.13.1, 14.2.1 Certified Asterisk11.6-cert16, 13.8-cert4 Patches SVN URL Revision Links Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at
[asterisk-users] AST-2016-008: Crash on SDP offer or answer from endpoint using Opus
Asterisk Project Security Advisory - AST-2016-008 ProductAsterisk SummaryCrash on SDP offer or answer from endpoint using Opus Nature of Advisory Remote Crash SusceptibilityRemote unauthenticated sessions Severity Critical Exploits KnownNo Reported On November 11, 2016 Reported By jorgen Posted On Last Updated OnNovember 15, 2016 Advisory Contact jcolp AT digium DOT com CVE Name Description If an SDP offer or answer is received with the Opus codec and with the format parameters separated using a space the code responsible for parsing will recursively call itself until it crashes. This occurs as the code does not properly handle spaces separating the parameters. This does NOT require the endpoint to have Opus configured in Asterisk. This also does not require the endpoint to be authenticated. If guest is enabled for chan_sip or anonymous in chan_pjsip an SDP offer or answer is still processed and the crash occurs. Resolution The code has been updated to properly handle spaces separating parameters in the fmtp line. Upgrade to a released version with the fix incorporated or apply patch. Affected Versions ProductRelease Series Asterisk Open Source 13.x13.12.0 and higher Asterisk Open Source 14.xAll Versions Corrected In Product Release Asterisk Open Source13.13.1, 14.2.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2016-008-13.diff Asterisk 13 http://downloads.asterisk.org/pub/security/AST-2016-008-14.diff Asterisk 14 Links https://issues.asterisk.org/jira/browse/ASTERISK-26579 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2016-008.pdf and http://downloads.digium.com/pub/security/AST-2016-008.html Revision History Date Editor Revisions Made November 15, 2016 Joshua Colp Initial draft of Advisory Asterisk Project Security Advisory - AST-2016-008 Copyright © 2016 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2016-007: UPDATE
On September 8, the Asterisk development team released the AST-2016-007 security advisory. The security advisory involved an RTP resource exhaustion that could be targeted due to a flaw in the "allowoverlap" option of chan_sip. Due to new information presented to us by Walter Doekes, we have made the following updates to the advisory. In the "Description" section, the following text has been added: UPDATE (20 October, 2016): It has been brought to our attention by Walter Doekes that this same leak can be exploited without the use of the overlap dialing feature. Sending SIP requests in a specific sequence outside the norm could also cause the leak of RTP resources. By sending an in-dialog INVITE after receiving a 404 response (but before sending an ACK), an attacker could cause the same leak to occur." In the "Resolution" section, the following text has been added: UPDATE (20 October, 2016): Because of the updated information from Walter Doekes, disabling the allowoverlap option is not enough to solve this issue. Users of Asterisk MUST upgrade to one of the fixed versions listed below. The updated advisory can be found at http://downloads.asterisk.org/pub/security/AST-2016-007.html and http://downloads.asterisk.org/pub/security/AST-2016-007.pdf -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Join the Asterisk Community at the 13th AstriCon, September 27-29, 2016 http://www.asterisk.org/community/astricon-user-conference New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2016-007: RTP Resource Exhaustion
Asterisk Project Security Advisory - AST-2016-007 ProductAsterisk SummaryRTP Resource Exhaustion Nature of Advisory Denial of Service SusceptibilityRemote Authenticated Sessions Severity Moderate Exploits KnownNo Reported On August 5, 2016 Reported By Etienne Lessard Posted On Last Updated OnSeptember 8, 2016 Advisory Contact Joshua Colp CVE Name Description The overlap dialing feature in chan_sip allows chan_sip to report to a device that the number that has been dialed is incomplete and more digits are required. If this functionality is used with a device that has performed username/password authentication RTP resources are leaked. This occurs because the code fails to release the old RTP resources before allocating new ones in this scenario. If all resources are used then RTP port exhaustion will occur and no RTP sessions are able to be set up. Resolution If overlap dialing support is not needed the âallowoverlapâ option can be set to no. This will stop any usage of the scenario which causes the resource exhaustion. If overlap dialing support is needed a change has been made so that existing RTP resources are destroyed in this scenario before allocating new resources. Affected Versions Product Release Series Asterisk Open Source 11.xAll Versions Asterisk Open Source 13.xAll Versions Certified Asterisk 11.6All Versions Certified Asterisk 13.8All Versions Corrected In Product Release Asterisk Open Source 11.23.1, 13.11.1 Certified Asterisk11.6-cert15, 13.8-cert3 Patches SVN URL Revision Links https://issues.asterisk.org/jira/browse/ASTERISK-26272 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2016-007.pdf and http://downloads.digium.com/pub/security/AST-2016-007.html Revision History Date Editor Revisions Made August 23, 2016 Joshua Colp Initial creation Asterisk Project Security Advisory - AST-2016-007 Copyright © 2016 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Join the Asterisk Community at the 13th AstriCon, September 27-29, 2016 http://www.asterisk.org/community/astricon-user-conference New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2016-006: Crash on ACK from unknown endpoint
Asterisk Project Security Advisory - AST-2016-006 ProductAsterisk SummaryCrash on ACK from unknown endpoint Nature of Advisory Remote Crash SusceptibilityRemote unauthenticated sessions Severity Critical Exploits KnownNo Reported On August 3, 2016 Reported By Nappsoft Posted On Last Updated OnAugust 31, 2016 Advisory Contact mark DOT michelson AT digium DOT com CVE Name Description Asterisk can be crashed remotely by sending an ACK to it from an endpoint username that Asterisk does not recognize. Most SIP request types result in an "artificial" endpoint being looked up, but ACKs bypass this lookup. The resulting NULL pointer results in a crash when attempting to determine if ACLs should be applied. This issue was introduced in the Asterisk 13.10 release and only affects that release. This issue only affects users using the PJSIP stack with Asterisk. Those users that use chan_sip are unaffected. Resolution ACKs now result in an artificial endpoint being looked up just like other SIP request types. Affected Versions ProductRelease Series Asterisk Open Source 11.xUnaffected Asterisk Open Source 13.x13.10.0 Certified Asterisk11.6Unaffected Certified Asterisk13.8Unaffected Corrected In Product Release Asterisk Open Source13.11.1 Patches SVN URL Revision Links Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2016-006.pdf and http://downloads.digium.com/pub/security/AST-2016-006.html Revision History DateEditor Revisions Made August 16, 2016 Mark Michelson Initial draft of Advisory Asterisk Project Security Advisory - AST-2016-006 Copyright (c) 2016 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Join the Asterisk Community at the 13th AstriCon, September 27-29, 2016 http://www.asterisk.org/community/astricon-user-conference New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2016-005: TCP denial of service in PJProject
Asterisk Project Security Advisory - AST-2016-005 ProductAsterisk SummaryTCP denial of service in PJProject Nature of Advisory Crash/Denial of Service SusceptibilityRemote Unauthenticated Sessions Severity Critical Exploits KnownNo Reported On February 15, 2016 Reported By George Joseph Posted On Last Updated OnMarch 3, 2016 Advisory Contact Mark Michelson CVE Name Description PJProject has a limit on the number of TCP connections that it can accept. Furthermore, PJProject does not close TCP connections it accepts. By default, this value is approximately 60. An attacker can deplete the number of allowed TCP connections by opening TCP connections and sending no data to Asterisk. If PJProject has been compiled in debug mode, then once the number of allowed TCP connections has been depleted, the next attempted TCP connection to Asterisk will crash due to an assertion in PJProject. If PJProject has not been compiled in debug mode, then any further TCP connection attempts will be rejected. This makes Asterisk unable to process TCP SIP traffic. Note that this only affects TCP/TLS, since UDP is connectionless. Also note that this does not affect chan_sip. Resolution PJProject has a compile-time constant that controls the maximum number of TCP connections that can be handled. Those who compile PJProject on their own are encouraged to set this to a value that is more amenable to the number of TCP connections that Asterisk should be able to handle. In PJProject's pjlib/include/pj/config_site.h, add the following prior to compiling PJProject: # define PJ_IOQUEUE_MAX_HANDLES (FD_SETSIZE) This is part of a larger set of recommended definitions to place in config_site.h of PJProject. See the Asterisk "Building and Installing PJProject" wiki page for other recommended settings. Packagers of PJProject have updated their packages to have these constants defined, so if your package is kept up to date, you should already be fine. In addition, the Asterisk project has recently been modified to be able to perform a static build of PJProject. By running the Asterisk configure script with the --with-pjproject-bundled option, the latest PJProject will be downloaded and installed, and the compile-time constants will be set to appropriate values. Asterisk has also been updated to monitor incoming TCP connections. If a TCP connection is opened and no SIP request is received on that connection within a certain amount of time, then Asterisk will shut down the connection. Affected Versions
[asterisk-users] AST-2016-004: Long Contact URIs in REGISTER requests can crash Asterisk
Asterisk Project Security Advisory - AST-2016-004 ProductAsterisk SummaryLong Contact URIs in REGISTER requests can crash Asterisk Nature of Advisory Remote Crash SusceptibilityRemote Authenticated Sessions Severity Major Exploits KnownNo Reported On January 19, 2016 Reported By George Joseph Posted On Last Updated OnFebruary 10, 2016 Advisory Contact Mark Michelson CVE Name Description Asterisk may crash when processing an incoming REGISTER request if that REGISTER contains a Contact header with a lengthy URI. This crash will only happen for requests that pass authentication. Unauthenticated REGISTER requests will not result in a crash occurring. This vulnerability only affects Asterisk when using PJSIP as its SIP stack. The chan_sip module does not have this problem. Resolution Measures have been put in place to ensure that REGISTER requests with long Contact URIs are rejected instead of causing a crash. Affected Versions Product Release Series Asterisk Open Source 11.xUnaffected Asterisk Open Source 13.xAll versions Certified Asterisk 11.6Unaffected Certified Asterisk 13.1All versions Corrected In Product Release Asterisk Open Source13.8.1 Certified Asterisk 13.1-cert5 Patches SVN URL Revision Links Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2016-004.pdf and http://downloads.digium.com/pub/security/AST-2016-004.html Revision History Date Editor Revisions Made February 10, 2016 Mark Michelson Initial creation Asterisk Project Security Advisory - AST-2016-004 Copyright (c) 2016 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2016-003: Remote crash vulnerability when receiving UDPTL FAX data.
Asterisk Project Security Advisory - AST-2016-003 ProductAsterisk SummaryRemote crash vulnerability when receiving UDPTL FAX data. Nature of Advisory Denial of Service SusceptibilityRemote Authenticated Sessions Severity Minor Exploits KnownYes Reported On December 2, 2015 Reported By Walter Dokes, Torrey Searle Posted On February 3, 2016 Last Updated OnFebruary 3, 2016 Advisory Contact Richard Mudgett CVE Name Pending Description If no UDPTL packets are lost there is no problem. However, a lost packet causes Asterisk to use the available error correcting redundancy packets. If those redundancy packets have zero length then Asterisk uses an uninitialized buffer pointer and length value which can cause invalid memory accesses later when the packet is copied. Resolution Upgrade to a released version with the fix incorporated or apply patch. Affected Versions Product Release Series Asterisk Open Source 1.8.x All versions Asterisk Open Source 11.xAll versions Asterisk Open Source 12.xAll versions Asterisk Open Source 13.xAll versions Certified Asterisk 1.8.28 All versions Certified Asterisk 11.6All versions Certified Asterisk 13.1All versions Corrected In Product Release Asterisk Open Source 11.21.1, 13.7.1 Certified Asterisk11.6-cert12, 13.1-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2016-003-1.8.28.diff Certified Asterisk 1.8.28 http://downloads.asterisk.org/pub/security/AST-2016-003-11.6.diff Certified Asterisk 11.6 http://downloads.asterisk.org/pub/security/AST-2016-003-13.1.diff Certified Asterisk 13.1 http://downloads.asterisk.org/pub/security/AST-2016-003-1.8.diffAsterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2016-003-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2016-003-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2016-003-13.diff Asterisk 13 Links https://issues.asterisk.org/jira/browse/ASTERISK-25603 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2016-003.pdf and http://downloads.digium.com/pub/security/AST-2016-003.html Revision History Date
[asterisk-users] AST-2016-001: BEAST vulnerability in HTTP server
Asterisk Project Security Advisory - AST-2016-001 ProductAsterisk SummaryBEAST vulnerability in HTTP server Nature of Advisory Unauthorized data disclosure due to man-in-the-middle attack SusceptibilityRemote unauthenticated sessions Severity Minor Exploits KnownYes Reported On 04/15/15 Reported By Alex A. Welzl Posted On 02/03/16 Last Updated OnFebruary 3, 2016 Advisory Contact Joshua Colp CVE Name Pending Description The Asterisk HTTP server currently has a default configuration which allows the BEAST vulnerability to be exploited if the TLS functionality is enabled. This can allow a man-in-the-middle attack to decrypt data passing through it. Resolution Additional configuration options have been added to Asterisk which allow configuration of the HTTP server to not be susceptible to the BEAST vulnerability. These include options to confirm the permitted ciphers, to control what TLS protocols are allowed, and to use server cipher preference order instead of client preference order. The default configuration has also been changed for the HTTP server to use a configuration which is not susceptible to the BEAST vulnerability. Affected Versions Product Release Series Asterisk Open Source 1.8.x All Versions Asterisk Open Source 11.xAll Versions Asterisk Open Source 12.xAll Versions Asterisk Open Source 13.xAll Versions Certified Asterisk 1.8.28 All Versions Certified Asterisk 11.6All Versions Certified Asterisk 13.1All Versions Corrected In Product Release Asterisk Open Source 11.21.1, 13.7.1 Certified Asterisk11.6-cert12, 13.1-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2016-001-1.8.28.diff Certified Asterisk 1.8.28 http://downloads.asterisk.org/pub/security/AST-2016-001-11.6.diff Certified Asterisk 11.6 http://downloads.asterisk.org/pub/security/AST-2016-001-13.1.diff Certified Asterisk 13.1 http://downloads.asterisk.org/pub/security/AST-2016-001-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2016-001-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2016-001-13.diff Asterisk 13 Links https://issues.asterisk.org/jira/browse/ASTERISK-24972 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest
[asterisk-users] AST-2016-002: File descriptor exhaustion in chan_sip
Asterisk Project Security Advisory - AST-2016-002 ProductAsterisk SummaryFile descriptor exhaustion in chan_sip Nature of Advisory Denial of Service SusceptibilityRemote Unauthenticated Sessions Severity Minor Exploits KnownYes Reported On September 17, 2015 Reported By Alexander Traud Posted On February 3, 2016 Last Updated OnFebruary 3, 2016 Advisory Contact Richard Mudgett CVE Name Pending Description Setting the sip.conf timert1 value to a value higher than 1245 can cause an integer overflow and result in large retransmit timeout times. These large timeout values hold system file descriptors hostage and can cause the system to run out of file descriptors. Resolution Setting the sip.conf timert1 value to 1245 or lower will not exhibit the vulnerability. The default timert1 value is 500. Asterisk has been patched to detect the integer overflow and calculate the previous retransmission timer value. Affected Versions Product Release Series Asterisk Open Source 1.8.x All versions Asterisk Open Source 11.xAll versions Asterisk Open Source 12.xAll versions Asterisk Open Source 13.xAll versions Certified Asterisk 1.8.28 All versions Certified Asterisk 11.6All versions Certified Asterisk 13.1All versions Corrected In Product Release Asterisk Open Source 11.21.1, 13.7.1 Certified Asterisk11.6-cert12, 13.1-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2016-002-1.8.28.diff Certified Asterisk 1.8.28 http://downloads.asterisk.org/pub/security/AST-2016-002-11.6.diff Certified Asterisk 11.6 http://downloads.asterisk.org/pub/security/AST-2016-002-13.1.diff Certified Asterisk 13.1 http://downloads.asterisk.org/pub/security/AST-2016-002-1.8.diffAsterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2016-002-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2016-002-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2016-002-13.diff Asterisk 13 Links https://issues.asterisk.org/jira/browse/ASTERISK-25397 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2016-002.pdf and http://downloads.digium.com/pub/security/AST-2016-002.html Revision History Date
[asterisk-users] AST-2015-003: TLS Certificate Common name NULL byte exploit
Asterisk Project Security Advisory - AST-2015-003 ProductAsterisk SummaryTLS Certificate Common name NULL byte exploit Nature of Advisory Man in the Middle Attack SusceptibilityRemote Authenticated Sessions Severity Major Exploits KnownNone Reported On 12 January, 2015 Reported By Maciej Szmigiero Posted On March 04, 2015 Last Updated OnApril 8, 2015 Advisory Contact Jonathan Rose jrose AT digium DOT com CVE Name CVE-2015-3008 Description When Asterisk registers to a SIP TLS device and and verifies the server, Asterisk will accept signed certificates that match a common name other than the one Asterisk is expecting if the signed certificate has a common name containing a null byte after the portion of the common name that Asterisk expected. For example, if Asterisk is trying to register to www.domain.com, Asterisk will accept certificates of the form www.domain.com\x00www.someotherdomain.com - for more information on this exploit, see https://fotisl.com/blog/2009/10/the-null-certificate-prefix-bug/ Resolution Asterisk has been patched to verify that the common name length of the certificate matches the common name that Asterisk actually reads. Asterisk will not accept certificates with common names that contain null bytes. Affected Versions Product Release Series Asterisk Open Source 1.8.x All versions Asterisk Open Source 11.xAll versions Asterisk Open Source 12.xAll versions Asterisk Open Source 13.xAll versions Certified Asterisk 1.8.28 All versions Certified Asterisk 11.6All versions Certified Asterisk 13.1All versions Corrected In Product Release Asterisk Open Source 1.8.32.3, 11.17.1, 12.8.2 13.3.2 Certified Asterisk 1.8.28-cert5, 11.6-cert11, 13.1-cert2 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2015-003-1.8.28.diff Certified Asterisk 1.8.28 http://downloads.asterisk.org/pub/security/AST-2015-003-11.6.diff Certified Asterisk 11.6 http://downloads.asterisk.org/pub/security/AST-2015-003-13.1.diff Certified Asterisk 13.1 http://downloads.asterisk.org/pub/security/AST-2015-003-1.8.diffAsterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2015-003-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2015-003-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2015-003-13.diff Asterisk 13 Links https://issues.asterisk.org/jira/browse/ASTERISK-24847 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security
[asterisk-users] AST-2015-001: File descriptor leak when incompatible codecs are offered
Asterisk Project Security Advisory - AST-2015-001 ProductAsterisk SummaryFile descriptor leak when incompatible codecs are offered Nature of Advisory Resource exhaustion SusceptibilityRemote Authenticated Sessions Severity Major Exploits KnownNo Reported On 6 January, 2015 Reported By Y Ateya Posted On 9 January, 2015 Last Updated OnJanuary 28, 2015 Advisory Contact Mark Michelson mmichelson AT digium DOT com CVE Name Pending Description Asterisk may be configured to only allow specific audio or video codecs to be used when communicating with a particular endpoint. When an endpoint sends an SDP offer that only lists codecs not allowed by Asterisk, the offer is rejected. However, in this case, RTP ports that are allocated in the process are not reclaimed. This issue only affects the PJSIP channel driver in Asterisk. Users of the chan_sip channel driver are not affected. As the resources are allocated after authentication, this issue only affects communications with authenticated endpoints. Resolution The reported leak has been patched. Affected Versions Product Release Series Asterisk Open Source 1.8.x Unaffected Asterisk Open Source 11.xUnaffected Asterisk Open Source 12.xAll versions Asterisk Open Source 13.xAll versions Certified Asterisk 1.8.28 Unaffected Certified Asterisk 11.6Unaffected Corrected In Product Release Asterisk Open Source12.8.1, 13.1.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2015-001-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2015-001-13.diff Asterisk 13 Links https://issues.asterisk.org/jira/browse/ASTERISK-24666 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2015-001.pdf and http://downloads.digium.com/pub/security/AST-2015-001.html Revision History DateEditor Revisions Made 9 January, 2015 Mark Michelson Initial creation Asterisk Project Security Advisory - AST-2015-001 Copyright (c) 2015 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello
[asterisk-users] AST-2015-002: Mitigation for libcURL HTTP request injection vulnerability
Asterisk Project Security Advisory - AST-2015-002 ProductAsterisk SummaryMitigation for libcURL HTTP request injection vulnerability Nature of Advisory HTTP request injection SusceptibilityRemote Authenticated Sessions Severity Major Exploits KnownNo Reported On 12 January, 2015 Reported By Olle Johansson Posted On January 12, 2015 Last Updated OnJanuary 28, 2015 Advisory Contact Mark Michelson mmichelson AT digium DOT com CVE Name N/A. Description CVE-2014-8150 reported an HTTP request injection vulnerability in libcURL. Asterisk uses libcURL in its func_curl.so module (the CURL() dialplan function), as well as its res_config_curl.so (cURL realtime backend) modules. Since Asterisk may be configured to allow for user-supplied URLs to be passed to libcURL, it is possible that an attacker could use Asterisk as an attack vector to inject unauthorized HTTP requests if the version of libcURL installed on the Asterisk server is affected by CVE-2014-8150. Resolution Asterisk has been patched with a similar patch as libcURL was for CVE-2014-8150. This means that carriage return and linefeed characters are forbidden from being in HTTP URLs that will be passed to libcURL. Affected Versions Product Release Series Asteris Open Source 1.8.x All versions Asterisk Open Source 11.xAll versions Asterisk Open Source 12.xAll versions Asterisk Open Source 13.xAll versions Certified Asterisk 1.8.28 All versions Certified Asterisk 11.6All versions Corrected In Product Release Asterisk Open Source 1.8.32.2, 11.15.1, 12.8.1, 13.1.1 Certified Asterisk 1.8.28-cert4, 11.6-cert10 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2015-002-1.8.28.diff Certified Asterisk 1.8.28 http://downloads.asterisk.org/pub/security/AST-2015-002-11.6.diff Certified Asterisk 11.6 http://downloads.asterisk.org/pub/security/AST-2015-002-1.8.diffAsterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2015-002-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2015-002-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2015-002-13.diff Asterisk 13 Links https://issues.asterisk.org/jira/browse/ASTERISK-24676 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at
[asterisk-users] AST-2014-019: Remote Crash Vulnerability in WebSocket Server
Asterisk Project Security Advisory - AST-2014-019 ProductAsterisk SummaryRemote Crash Vulnerability in WebSocket Server Nature of Advisory Denial of Service SusceptibilityRemote Unauthenticated Sessions Severity Moderate Exploits KnownNo Reported On 30 October 2014 Reported By Badalian Vyacheslav Posted On 10 December 2014 Last Updated OnDecember 10, 2014 Advisory Contact Joshua Colp jcolp AT digium DOT com CVE Name Description When handling a WebSocket frame the res_http_websocket module dynamically changes the size of the memory used to allow the provided payload to fit. If a payload length of zero was received the code would incorrectly attempt to resize to zero. This operation would succeed and end up freeing the memory but be treated as a failure. When the session was subsequently torn down this memory would get freed yet again causing a crash. Users of the WebSocket functionality also did not take into account that provided text frames are not guaranteed to be NULL terminated. This has been fixed in chan_sip and chan_pjsip in the applicable versions. Resolution Ensure the built-in HTTP server is disabled, upgrade to a version listed below, or apply the applicable patch. The change ensures that res_http_websocket does not treat the freeing of memory when a payload length of zero is received as fatal. Affected Versions Product Release Series Certified Asterisk 11.6All versions Asterisk Open Source 11.xAll versions Asterisk Open Source 12.xAll versions Asterisk Open Source 13.xAll versions Corrected In Product Release Certified Asterisk 11.6-cert9 Asterisk Open Source 11.14.2, 12.7.2, 13.0.2 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-019-11.6.diff Certified Asterisk 11.6 http://downloads.asterisk.org/pub/security/AST-2014-019-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2014-019-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2014-019-13.diff Asterisk 13 Links https://issues.asterisk.org/jira/browse/ASTERISK-24472 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2014-019.pdf and http://downloads.digium.com/pub/security/AST-2014-019.html Revision History Date Editor Revisions Made December 10 2014 Joshua Colp Initial Revision Asterisk Project
[asterisk-users] AST-2014-012: Mixed IP address families in access control lists may permit unwanted traffic.
Asterisk Project Security Advisory - AST-2014-012 ProductAsterisk SummaryMixed IP address families in access control lists may permit unwanted traffic. Nature of Advisory Unauthorized Access SusceptibilityRemote unauthenticated sessions Severity Moderate Exploits KnownNo Reported On 25 October, 2014 Reported By Andreas Steinmetz Posted On 20 November, 2014 Last Updated OnNovember 20, 2014 Advisory Contact Mark Michelson mmichelson AT digium DOT com CVE Name Pending Description Many modules in Asterisk that service incoming IP traffic have ACL options (permit and deny) that can be used to whitelist or blacklist address ranges. A bug has been discovered where the address family of incoming packets is only compared to the IP address family of the first entry in the list of access control rules. If the source IP address for an incoming packet is not of the same address family as the first ACL entry, that packet bypasses all ACL rules. For ACLs whose rules are all of the same address family, there is no issue. Note that while the incoming packet may bypass ACL rules, the packet is still subject to any authentication requirements that the specific protocol employs. This issue affects the following parts of Asterisk * All VoIP channel drivers * DUNDi * Asterisk Manager Interface (AMI) Resolution The ACL code has been amended to compare the incoming packet's source address family against the address families for all rules. Affected Versions Product Release Series Asterisk Open Source 1.8.x All versions Asterisk Open Source 11.xAll versions Asterisk Open Source 12.xAll versions Asterisk Open Source 13.xAll versions Certified Asterisk 1.8.28 All versions Certified Asterisk 11.6All versions Corrected In Product Release Asterisk Open Source 1.8.32.1, 11.14.1, 12.7.1, 13.0.1 Certified Asterisk1.8.28-cert3, 11.6-cert8 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-012-1.8.diffAsterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2014-012-1.8.28.diff Certified Asterisk 1.8.28 http://downloads.asterisk.org/pub/security/AST-2014-012-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2014-012-11.6.diff Certified Asterisk 11.6
[asterisk-users] AST-2014-014: High call load may result in hung channels in ConfBridge.
Asterisk Project Security Advisory - AST-2014-014 ProductAsterisk SummaryHigh call load may result in hung channels in ConfBridge. Nature of Advisory Denial of Service SusceptibilityRemote Unauthenticated Sessions Severity Moderate Exploits KnownNo Reported On 19 October, 2014 Reported By Ben Klang Posted On 20 November 2014 Last Updated OnNovember 20, 2014 Advisory Contact Joshua Colp jcolp AT digium DOT com CVE Name Pending Description The ConfBridge application uses an internal bridging API to implement conference bridges. This internal API uses a state model for channels within the conference bridge and transitions between states as different things occur. Under load it is possible for some state transitions to be delayed causing the channel to transition from being hung up to waiting for media. As the channel has been hung up remotely no further media will arrive and the channel will stay within ConfBridge indefinitely. Resolution The underlying bridging code that ConfBridge uses has been fixed so state changes can not occur that will take a channel out of the hung up state. Affected Versions Product Release Series Asterisk Open Source 11.xAll versions Certified Asterisk 11.6All versions Corrected In Product Release Asterisk Open Source 11.14.1 Certified Asterisk 11.6-cert8 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-014-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2014-014-11.6.diff Certified Asterisk 11.6 Links https://issues.asterisk.org/jira/browse/ASTERISK-24440 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2014-014.pdf and http://downloads.digium.com/pub/security/AST-2014-014.html Revision History Date Editor Revisions Made 20 November, 2014 Joshua Colp Initial Advisory created Asterisk Project Security Advisory - AST-2014-014 Copyright (c) 2014 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2014-013: PJSIP ACLs are not loaded on startup
Asterisk Project Security Advisory - AST-2014-013 ProductAsterisk SummaryPJSIP ACLs are not loaded on startup Nature of Advisory Unauthorized Access SusceptibilityRemote unauthenticated sessions Severity Moderate Exploits KnownNo Reported On 28 October, 2014 Reported By Jonathan Rose Posted On 20 November, 2014 Last Updated OnNovember 20, 2014 Advisory Contact Jonathan Rose jrose AT digium DOT com CVE Name Pending Description The Asterisk module res_pjsip_acl provides the ability to configure ACLs that may be used to reject SIP requests from various hosts. In affected versions of Asterisk, this module fails to create and apply ACLs defined in pjsip.conf. This may be worked around by reloading res_pjsip manually after res_pjsip_acl is loaded. Resolution The PJSIP ACL code has been changed to create and apply the ACLs properly at startup. Affected Versions Product Release Series Asterisk Open Source 12.xAll versions Asterisk Open Source 13.xAll versions Corrected In Product Release Asterisk Open Source12.7.1, 13.0.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-013-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2014-013-13.diff Asterisk 13 Links https://issues.asterisk.org/jira/browse/ASTERISK-24531 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2014-013.pdf and http://downloads.digium.com/pub/security/AST-2014-013.html Revision History DateEditor Revisions Made 17 November, 2014 Jonathan Rose Initial Advisory created Asterisk Project Security Advisory - AST-2014-013 Copyright (c) 2014 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2014-015: Remote Crash Vulnerability in PJSIP channel driver
Asterisk Project Security Advisory - AST-2014-015 ProductAsterisk SummaryRemote Crash Vulnerability in PJSIP channel driver Nature of Advisory Denial of Service SusceptibilityRemote Unauthenticated Sessions Severity Moderate Exploits KnownNo Reported On 30 October 2014 Reported By Yaron Nahum Posted On 20 November 2014 Last Updated OnNovember 20, 2014 Advisory Contact Joshua Colp jcolp AT digium DOT com CVE Name Pending Description The chan_pjsip channel driver uses a queue approach for actions relating to SIP sessions. There exists a race condition where actions may be queued to answer a session or send ringing AFTER a SIP session has been terminated using a CANCEL request. The code will incorrectly assume that the SIP session is still active and attempt to send the SIP response. The PJSIP library does not expect the SIP session to be in the disconnected state when sending the response and asserts. Resolution Asterisk has been patched so any queued actions that occur after a SIP session has been disconnected will not execute. Affected Versions Product Release Series Asterisk Open Source 12.xAll versions Asterisk Open Source 13.xAll versions Corrected In Product Release Asterisk Open Source12.7.1, 13.0.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-015-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2014-015-13.diff Asterisk 13 Links https://issues.asterisk.org/jira/browse/ASTERISK-24471 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2014-015.pdf and http://downloads.digium.com/pub/security/AST-2014-015.html Revision History Date Editor Revisions Made November 20 2014 Joshua Colp Initial Revision Asterisk Project Security Advisory - AST-2014-015 Copyright (c) 2014 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2014-016: Remote Crash Vulnerability in PJSIP channel driver
Asterisk Project Security Advisory - AST-2014-016 ProductAsterisk SummaryRemote Crash Vulnerability in PJSIP channel driver Nature of Advisory Denial of Service SusceptibilityRemote Unauthenticated Sessions Severity Critical Exploits KnownNo Reported On 17 November 2014 Reported By Joshua Colp Posted On 20 November 2014 Last Updated OnNovember 20, 2014 Advisory Contact Joshua Colp jcolp AT digium DOT com CVE Name Pending Description When handling an INVITE with Replaces message the res_pjsip_refer module incorrectly assumes that it will be operating on a channel that has just been created. If the INVITE with Replaces message is sent in-dialog after a session has been established this assumption will be incorrect. The res_pjsip_refer module will then hang up a channel that is actually owned by another thread. When this other thread attempts to use the just hung up channel it will end up using freed channel which will likely cause a crash. Resolution If REFER support is not required the res_pjsip_refer module can be unloaded to limit exposure otherwise the res_pjsip_refer module has been patched so it will not allow an in-dialog INVITE with Replaces message to be processed. Affected Versions Product Release Series Asterisk Open Source 12.xAll versions Asterisk Open Source 13.xAll versions Corrected In Product Release Asterisk Open Source12.7.1, 13.0.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-016-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2014-016-13.diff Asterisk 13 Links https://issues.asterisk.org/jira/browse/ASTERISK-24471 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2014-016.pdf and http://downloads.digium.com/pub/security/AST-2014-016.html Revision History Date Editor Revisions Made November 20 2014 Joshua Colp Initial Revision Asterisk Project Security Advisory - AST-2014-016 Copyright (c) 2014 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2014-017: font size=3 style=font-size: 12ptPermission escalation through ConfBridge actions/dialplan functions/font
Asterisk Project Security Advisory - AST-2014-017 ProductAsterisk SummaryPermission escalation through ConfBridge actions/dialplan functions Nature of Advisory Permission Escalation SusceptibilityRemote Authenticated Sessions Severity Minor Exploits KnownNo Reported On November 4, 2014 Reported By Gareth Palmer Posted On 20 November, 2014 Last Updated OnNovember 20, 2014 Advisory Contact Kevin Harwell kharwell AT digium DOT com CVE Name Pending Description The CONFBRIDGE dialplan function when executed from an external protocol (for instance AMI), could result in a privilege escalation. Also, the AMI action ConfbridgeStartRecord could also be used to execute arbitrary system commands without first checking for system access. Resolution Asterisk now inhibits the CONFBRIDGE function from being executed from an external interface if the live_dangerously option is set to no. Also, the ConfbridgeStartRecord AMI action is now only allowed to execute under a user with system level access. Affected Versions Product Release Series Asterisk Open Source 11.xAll versions Asterisk Open Source 12.xAll versions Asterisk Open Source 13.xAll versions Certified Asterisk 11.6All versions Corrected In Product Release Asterisk Open Source 11.14.1, 12.7.1, 13.0.1 Certified Asterisk 11.6-cert8 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-017-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2014-017-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2014-017-13.diff Asterisk 13 http://downloads.asterisk.org/pub/security/AST-2014-017-11.6.diff Certified Asterisk 11.6 Links https://issues.asterisk.org/jira/browse/ASTERISK-24490 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2014-017.pdf and http://downloads.digium.com/pub/security/AST-2014-017.html Revision History DateEditor Revisions Made November 18, 2014 Kevin Harwell Initial advisory created Asterisk Project Security Advisory - AST-2014-017 Copyright (c) 2014 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello
[asterisk-users] AST-2014-018: AMI permission escalation through DB dialplan function
Asterisk Project Security Advisory - AST-2014-018 ProductAsterisk SummaryAMI permission escalation through DB dialplan function Nature of Advisory Permission Escalation SusceptibilityRemote Authenticated Sessions Severity Minor Exploits KnownNo Reported On November 17, 2014 Reported By Gareth Palmer Posted On 20 November, 2014 Last Updated OnNovember 20, 2014 Advisory Contact Kevin Harwell kharwell AT digium DOT com CVE Name Pending Description The DB dialplan function when executed from an external protocol (for instance AMI), could result in a privilege escalation. Resolution Asterisk now inhibits the DB function from being executed from an external interface if the live_dangerously option is set to no. Affected Versions Product Release Series Certified Asterisk1.8All versions Certified Asterisk 11.6All versions Asterisk Open Source 1.8.x All versions Asterisk Open Source 11.xAll versions Asterisk Open Source 12.xAll versions Asterisk Open Source 13.xAll versions Corrected In Product Release Asterisk Open Source 1.8.32.1,11.14.1, 12.7.1, 13.0.1 Certified Asterisk1.8.28-cert3,11.6-cert8 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-018-1.8.28.diff Certified Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2014-018-11.6.diff Certified Asterisk 11.6 http://downloads.asterisk.org/pub/security/AST-2014-018-1.8.diffAsterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2014-018-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2014-018-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2014-018-13.diff Asterisk 13 Links https://issues.asterisk.org/jira/browse/ASTERISK-24534 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2014-018.pdf and http://downloads.digium.com/pub/security/AST-2014-018.html Revision History DateEditor Revisions Made November 18, 2014 Kevin Harwell Initial advisory created Asterisk Project Security Advisory - AST-2014-018 Copyright (c) 2014 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. --
[asterisk-users] AST-2014-011: Asterisk Susceptibility to POODLE Vulnerability
Asterisk Project Security Advisory - AST-2014-011 ProductAsterisk SummaryAsterisk Susceptibility to POODLE Vulnerability Nature of Advisory Unauthorized Data Disclosure SusceptibilityRemote Unauthenticated Sessions Severity Medium Exploits KnownNo Reported On 16 October 2014 Reported By abelbeck Posted On 20 October 2014 Last Updated OnOctober 20, 2014 Advisory Contact Matt Jordan mjordan AT digium DOT com CVE Name CVE-2014-3566 Description The POODLE vulnerability - described under CVE-2014-3566 - is described at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566. This advisory describes the Asterisk's project susceptibility to this vulnerability. The POODLE vulnerability consists of two issues: 1) A vulnerability in the SSL protocol version 3.0. This vulnerability has no known solution. 2) The ability to force a fallback to SSLv3 when a TLS connection is negotiated. Asterisk is susceptible to both portions of the vulnerability in different places. 1) The res_jabber and res_xmpp module both use SSLv3 exclusively, and are hence susceptible to POODLE. 2) The core TLS handling, used by the chan_sip channel driver, Asterisk Manager Interface (AMI), and the Asterisk HTTP server, defaults to allowing SSLv3/SSLv2 fallback. This allows a MITM to potentially force a connection to fallback to SSLv3, exposing it to the POODLE vulnerability. Resolution Asterisk has been patched such that it no longer uses SSLv3 for the res_jabber/res_xmpp modules. Additionally, when the encryption method is not specified, the default handling in the TLS core no longer allows for a fallback to SSLv3 or SSLv2. 1) Users of Asterisk's res_jabber or res_xmpp modules should upgrade to the versions of Asterisk specified in this advisory. 2) Users of Asterisk's chan_sip channel driver, AMI, and HTTP server may set the tlsclientmethod or sslclientmethod to tlsv1 to force TLSv1 as the only allowed encryption method. Alternatively, they may also upgrade to the versions of Asterisk specified in this advisory. Users of Asterisk are encouraged to NOT specify sslv2 or sslv3. Doing so will now emit a WARNING. Affected Versions Product Release Series Asterisk Open Source 1.8.x All versions Asterisk Open Source 11.xAll versions Asterisk Open Source 12.xAll versions Certified Asterisk 1.8.28 All versions Certified Asterisk 11.6All versions Corrected In Product
[asterisk-users] AST-2014-009: Remote crash based on malformed SIP subscription requests
Asterisk Project Security Advisory - AST-2014-009 ProductAsterisk SummaryRemote crash based on malformed SIP subscription requests Nature of Advisory Remotely triggered crash of Asterisk SusceptibilityRemote authenticated sessions Severity Major Exploits KnownNo Reported On 30 July, 2014 Reported By Mark Michelson Posted On 18 September, 2014 Last Updated OnSeptember 18, 2014 Advisory Contact Mark Michelson mmichelson AT digium DOT com CVE Name Pending Description It is possible to trigger a crash in Asterisk by sending a SIP SUBSCRIBE request with unexpected mixes of headers for a given event package. The crash occurs because Asterisk allocates data of one type at one layer and then interprets the data as a separate type at a different layer. The crash requires that the SUBSCRIBE be sent from a configured endpoint, and the SUBSCRIBE must pass any authentication that has been configured. Note that this crash is Asterisk's PJSIP-based res_pjsip_pubsub module and not in the old chan_sip module. Resolution Type-safety has been built into the pubsub API where it previously was absent. A test has been added to the testsuite that previously would have triggered the crash. Affected Versions Product Release Series Asterisk Open Source 1.8.x Unaffected Asterisk Open Source 11.xUnaffected Asterisk Open Source 12.x12.1.0 and up Certified Asterisk 1.8.15 Unaffected Certified Asterisk 11.6Unaffected Corrected In Product Release Asterisk Open Source12.5.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-009-12.diff Asterisk 12 Links https://issues.asterisk.org/jira/browse/ASTERISK-24136 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2014-009.pdf and http://downloads.digium.com/pub/security/AST-2014-009.html Revision History DateEditor Revisions Made 19 August, 2014 Mark Michelson Initial version of document Asterisk Project Security Advisory - AST-2014-009 Copyright (c) 2014 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2014-010: Remote crash when handling out of call message in certain dialplan configurations
Asterisk Project Security Advisory - AST-2014-010 ProductAsterisk SummaryRemote crash when handling out of call message in certain dialplan configurations Nature of Advisory Remotely triggered crash of Asterisk SusceptibilityRemote authenticated sessions Severity Minor Exploits KnownNo Reported On 05 September 2014 Reported By Philippe Lindheimer Posted On 18 September 2014 Last Updated OnSeptember 18, 2014 Advisory Contact Matt Jordan mjordan AT digium DOT com CVE Name Pending Description When an out of call message - delivered by either the SIP or PJSIP channel driver or the XMPP stack - is handled in Asterisk, a crash can occur if the channel servicing the message is sent into the ReceiveFax dialplan application while using the res_fax_spandsp module. Note that this crash does not occur when using the res_fax_digium module. While this crash technically occurs due to a configuration issue, as attempting to receive a fax from a channel driver that only contains textual information will never succeed, the likelihood of having it occur is sufficiently high as to warrant this advisory. Resolution The fax family of applications have been updated to handle the Message channel driver correctly. Users using the fax family of applications along with the out of call text messaging features are encouraged to upgrade their versions of Asterisk to the versions specified in this security advisory. Additionally, users of Asterisk are encouraged to use a separate dialplan context to process text messages. This avoids issues where the Message channel driver is passed to dialplan applications that assume a media stream is available. Note that the various channel drivers and stacks provide such an option; an example being the SIP channel driver's outofcall_message_context option. Affected Versions Product Release Series Asterisk Open Source 11.xAll versions Asterisk Open Source 12.xAll versions Certified Asterisk 11.6All versions Corrected In Product Release Asterisk Open Source11.12.1, 12.5.1 Certified Asterisk 11.6-cert6 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-010-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2014-010-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2014-010-11.6.diff Certified Asterisk 11.6 Links https://issues.asterisk.org/jira/browse/ASTERISK-24301 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security
[asterisk-users] AST-2014-005: Remote Crash in PJSIP Channel Driver's Publish/Subscribe Framework
Asterisk Project Security Advisory - AST-2014-005 ProductAsterisk SummaryRemote Crash in PJSIP Channel Driver's Publish/Subscribe Framework Nature of Advisory Denial of Service SusceptibilityRemote Unauthenticated Sessions Severity Moderate Exploits KnownNo Reported On March 17, 2014 Reported By John Bigelow jbigelow AT digium DOT com Posted On June 12, 2014 Last Updated OnJune 12, 2014 Advisory Contact Kevin Harwell kharwell AT digium DOT com CVE Name CVE-2014-4045 Description A remotely exploitable crash vulnerability exists in the PJSIP channel driver's pub/sub framework. If an attempt is made to unsubscribe when not currently subscribed and the endpoint's sub_min_expiry is set to zero, Asterisk tries to create an expiration timer with zero seconds, which is not allowed, so an assertion raised. Resolution Upgrade to a version with the patch integrated, apply the patch, or make sure the sub_min_expiry endpoint configuration option is greater than zero. Affected Versions Product Release Series Asterisk Open Source 12.x All Corrected In Product Release Asterisk Open Source 12.x 12.3.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-005-12.diff Asterisk 12 Links https://issues.asterisk.org/jira/browse/ASTERISK-23489 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2014-005.pdf and http://downloads.digium.com/pub/security/AST-2014-005.html Revision History Date Editor Revisions Made April 14, 2014 Kevin Harwell Document Creation June 12, 2014 Matt Jordan Added CVE Asterisk Project Security Advisory - AST-2014-005 Copyright (c) 2014 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2014-006: Asterisk Manager User Unauthorized Shell Access
Asterisk Project Security Advisory - AST-2014-006 Product Asterisk Summary Asterisk Manager User Unauthorized Shell Access Nature of Advisory Permission Escalation Susceptibility Remote Authenticated Sessions SeverityMinor Exploits Known No Reported On April 9, 2014 Reported By Corey Farrell Posted OnJune 12, 2014 Last Updated On June 12, 2014 Advisory ContactJonathan Rose jrose AT digium DOT com CVE NameCVE-2014-4046 Description Manager users can execute arbitrary shell commands with the MixMonitor manager action. Asterisk does not require system class authorization for a manager user to use the MixMonitor action, so any manager user who is permitted to use manager commands can potentially execute shell commands as the user executing the Asterisk process. Resolution Upgrade to a version with the patch integrated, apply the patch, or do not allow users who should not have permission to run shell commands to use AMI. Affected Versions Product Release Series Asterisk Open Source 11.x All Asterisk Open Source 12.x All Certified Asterisk 11.6 All Corrected In Product Release Asterisk Open Source 11.10.1, 12.3.1 Certified Asterisk 11.6-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-006-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2014-006-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2014-006-11.6.diff Certified Asterisk 11.6 Links https://issues.asterisk.org/jira/browse/ASTERISK-23609 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2014-006.pdf and http://downloads.digium.com/pub/security/AST-2014-006.html Revision History Date Editor Revisions Made April 23, 2014 Jonathan Rose Document Creation June 12, 2014 Matt Jordan Added CVE Asterisk Project Security Advisory - AST-2014-006 Copyright (c) 2014 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2014-008: Denial of Service in PJSIP Channel Driver Subscriptions
Asterisk Project Security Advisory - AST-2014-008 ProductAsterisk SummaryDenial of Service in PJSIP Channel Driver Subscriptions Nature of Advisory Denial of Service SusceptibilityRemote authenticated sessions Severity Moderate Exploits KnownNo Reported On 28 May, 2014 Reported By Mark Michelson Posted On June 12, 2014 Last Updated OnJune 12, 2014 Advisory Contact Mark Michelson mmichelson AT digium DOT com CVE Name CVE-2014-4048 Description When a SIP transaction timeout caused a subscription to be terminated, the action taken by Asterisk was guaranteed to deadlock the thread on which SIP requests are serviced. Note that this behavior could only happen on established subscriptions, meaning that this could only be exploited if an attacker bypassed authentication and successfully subscribed to a real resource on the Asterisk server. Resolution The socket-servicing thread is now no longer capable of dispatching synchronous tasks to other threads since that may result in deadlocks. Affected Versions Product Release Series Asterisk Open Source 12.x All versions Corrected In Product Release Asterisk Open Source12.3.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-008-12.diff Asterisk 12 Links https://issues.asterisk.org/jira/browse/ASTERISK-23802 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2014-008.pdf and http://downloads.digium.com/pub/security/AST-2014-008.html Revision History Date Editor Revisions Made June 6, 2014 Mark MichelsonDocument Creation June 12, 2014 Matt Jordan Added CVE Asterisk Project Security Advisory - AST-2014-008 Copyright (c) 2014 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2014-007: Exhaustion of Allowed Concurrent HTTP Connections
Asterisk Project Security Advisory - AST-2014-007 Product Asterisk Summary Exhaustion of Allowed Concurrent HTTP Connections Nature of Advisory Denial Of Service Susceptibility Remote Unauthenticated Sessions SeverityModerate Exploits Known No Reported On May 25, 2014 Reported By Richard Mudgett Posted OnMay 9, 2014 Last Updated On June 12, 2014 Advisory ContactRichard Mudgett rmudgett AT digium DOT com CVE NameCVE-2014-4047 Description Establishing a TCP or TLS connection to the configured HTTP or HTTPS port respectively in http.conf and then not sending or completing a HTTP request will tie up a HTTP session. By doing this repeatedly until the maximum number of open HTTP sessions is reached, legitimate requests are blocked. Resolution The patched versions now have a session_inactivity timeout option in http.conf that defaults to 3 ms. Users should upgrade to a corrected version, apply the released patches, or disable HTTP support. Affected Versions Product Release Series Asterisk Open Source1.8.x All versions Asterisk Open Source 11.x All versions Asterisk Open Source 12.x All versions Certified Asterisk 1.8.15 All versions Certified Asterisk 11.6 All versions Corrected In Product Release Asterisk Open Source 1.8.28.1, 11.10.1, 12.3.1 Certified Asterisk1.8.15-cert6, 11.6-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-007-1.8.diffAsterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2014-007-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2014-007-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2014-007-1.8.15.diff Certified Asterisk 1.8.15 http://downloads.asterisk.org/pub/security/AST-2014-007-11.6.diff Certified Asterisk 11.6 Links https://issues.asterisk.org/jira/browse/ASTERISK-23673 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2014-007.pdf and http://downloads.digium.com/pub/security/AST-2014-007.html Revision History Date Editor Revisions Made May 9, 2014Richard Mudgett Document Creation June 12, 2014 Matt Jordan Added CVE Asterisk Project Security Advisory - AST-2014-007 Copyright (c) 2014 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. --
[asterisk-users] AST-2014-002: Denial of Service Through File Descriptor Exhaustion with chan_sip Session-Timers
Asterisk Project Security Advisory - AST-2014-002 ProductAsterisk SummaryDenial of Service Through File Descriptor Exhaustion with chan_sip Session-Timers Nature of Advisory Denial of Service SusceptibilityRemote Authenticated or Anonymous Sessions Severity Moderate Exploits KnownNo Reported On 2014/02/25 Reported By Corey Farrell Posted On March 10, 2014 Last Updated OnMarch 10, 2014 Advisory Contact Kinsey Moore kmoore AT digium DOT com CVE Name CVE-2014-2287 Description An attacker can use all available file descriptors using SIP INVITE requests. Knowledge required to achieve the attack: * Valid account credentials or anonymous dial in * A valid extension that can be dialed from the SIP account Trigger conditions: * chan_sip configured with session-timers set to originate or accept ** The INVITE request must contain either a Session-Expires or a Min-SE header with malformed values or values disallowed by the system's configuration. * chan_sip configured with session-timers set to refuse ** The INVITE request must offer timer in the Supported header Asterisk will respond with code 400, 420, or 422 for INVITEs meeting this criteria. Each INVITE meeting these conditions will leak a channel and several file descriptors. The file descriptors cannot be released without restarting Asterisk which may allow intrusion detection systems to be bypassed by sending the requests slowly. Resolution Upgrade to a version with the patch integrated or apply the appropriate patch. Affected Versions Product Release Series Asterisk Open Source 1.8.x All Asterisk Open Source 11.x All Asterisk Open Source 12.x All Certified Asterisk 1.8.15 All Certified Asterisk 11.6 All Corrected In Product Release Asterisk Open Source 1.8.x1.8.26.1 Asterisk Open Source 11.x 11.8.1 Asterisk Open Source 12.x 12.1.1 Certified Asterisk 1.8.15 1.8.15-cert5 Certified Asterisk 11.6 11.6-cert2 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-002-1.8.diffAsterisk 1.8
[asterisk-users] AST-2014-001: Stack Overflow in HTTP Processing of Cookie Headers.
Asterisk Project Security Advisory - AST-2014-001 ProductAsterisk SummaryStack Overflow in HTTP Processing of Cookie Headers. Nature of Advisory Denial Of Service SusceptibilityRemote Unauthenticated Sessions Severity Moderate Exploits KnownNo Reported On February 21, 2014 Reported By Lucas Molas, researcher at Programa STIC, Fundacion Dr. Manuel Sadosky, Buenos Aires, Argentina Posted On March 10, 2014 Last Updated OnMarch 10, 2014 Advisory Contact Richard Mudgett rmudgett AT digium DOT com CVE Name CVE-2014-2286 Description Sending a HTTP request that is handled by Asterisk with a large number of Cookie headers could overflow the stack. You could even exhaust memory if you sent an unlimited number of headers in the request. Resolution The patched versions now handle headers in a fashion that prevents a stack overflow. Users should upgrade to a corrected version, apply the released patches, or disable HTTP support. Affected Versions Product Release Series Asterisk Open Source1.8.x All versions Asterisk Open Source 11.x All versions Asterisk Open Source 12.x All versions Certified Asterisk 1.8.x All versions Certified Asterisk 11.x All versions Corrected In Product Release Asterisk Open Source 1.8.26.1, 11.8.1, 12.1.1 Certified Asterisk1.8.15-cert5, 11.6-cert2 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-001-1.8.diffAsterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2014-001-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2014-001-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2014-001-1.8.15.diff Certified Asterisk 1.8.15 http://downloads.asterisk.org/pub/security/AST-2014-001-11.6.diff Certified Asterisk 11.6 Links https://issues.asterisk.org/jira/browse/ASTERISK-23340 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2014-001.pdf and http://downloads.digium.com/pub/security/AST-2014-001.html Revision History Date Editor Revisions Made 03/10/14 Richard Mudgett Initial Revision. Asterisk Project Security Advisory - AST-2014-001 Copyright (c) 2014 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to
[asterisk-users] AST-2014-003: Remote Crash Vulnerability in PJSIP channel driver
Asterisk Project Security Advisory - AST-2014-003 ProductAsterisk SummaryRemote Crash Vulnerability in PJSIP channel driver Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated Sessions SeverityModerate Exploits Known No Reported On January 29, 2014 Reported By Joshua Colp jcolp AT digium DOT com Posted On March 10, 2014 Last Updated OnMarch 10, 2014 Advisory ContactJoshua Colp jcolp AT digium DOT com CVE NameCVE-2014-2288 Description A remotely exploitable crash vulnerability exists in the PJSIP channel driver if the qualify_frequency configuration option is enabled on an AOR and the remote SIP server challenges for authentication of the resulting OPTIONS request. The response handling code wrongly assumes that a PJSIP endpoint will always be associated with an outgoing request which is incorrect. Resolution This patch adds a check when handling responses challenging for authentication. If no endpoint is associated with the request no retry with authentication will occur. Affected Versions Product Release Series Asterisk Open Source 12.x All Corrected In Product Release Asterisk Open Source 12.x 12.1.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-003-12.diff Asterisk 12 Links https://issues.asterisk.org/jira/browse/ASTERISK-23210 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2014-003.pdf and http://downloads.digium.com/pub/security/AST-2014-003.html Revision History Date Editor Revisions Made 03/05/14 Joshua Colp Document Creation Asterisk Project Security Advisory - AST-2014-003 Copyright (c) 2014 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2014-004: Remote Crash Vulnerability in PJSIP Channel Driver Subscription Handling
Asterisk Project Security Advisory - AST-2014-004 ProductAsterisk SummaryRemote Crash Vulnerability in PJSIP Channel Driver Subscription Handling Nature of Advisory Denial of Service SusceptibilityRemote Authenticated Sessions Severity Moderate Exploits KnownNo Reported On January 14th, 2014 Reported By Mark Michelson Posted On March 10, 2014 Last Updated OnMarch 10, 2014 Advisory Contact Matt Jordan mjordan AT digium DOT com CVE Name CVE-2014-2289 Description A remotely exploitable crash vulnerability exists in the PJSIP channel driver's handling of SUBSCRIBE requests. If a SUBSCRIBE request is received for the presence Event, and that request has no Accept headers, Asterisk will attempt to access an invalid pointer to the header location. Note that this issue was fixed during a re-architecture of the res_pjsip_pubsub module in Asterisk 12.1.0. As such, this issue has already been resolved in a released version of Asterisk. This notification is being released for users of Asterisk 12.0.0. Resolution Upgrade to Asterisk 12.1.0, or apply the patch noted below to Asterisk 12.0.0. Affected Versions Product Release Series Asterisk Open Source 12.x 12.0.0 Corrected In Product Release Asterisk Open Source12.1.0 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-004-12.diff Asterisk 12 Links https://issues.asterisk.org/jira/browse/ASTERISK-23139 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2014-004.pdf and http://downloads.digium.com/pub/security/AST-2014-004.html Revision History Date Editor Revisions Made 03/05/14 Matt Jordan Initial Revision Asterisk Project Security Advisory - AST-2014-004 Copyright (c) 2014 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2013-006: Buffer Overflow when receiving odd length 16 bit SMS message
Asterisk Project Security Advisory - AST-2013-006 ProductAsterisk SummaryBuffer Overflow when receiving odd length 16 bit SMS message Nature of Advisory Buffer Overflow and Remote Crash SusceptibilityRemote SMS Messages Severity Major Exploits KnownNone Reported On September 26, 2013 Reported By Jan Juergens Posted On December 16, 2013 Last Updated OnDecember 16, 2013 Advisory Contact Scott Griepentrog sgriepentrog AT digium DOT com CVE Name Pending Description A 16 bit SMS message that contains an odd message length value will cause the message decoding loop to run forever. The message buffer is not on the stack but will be overflowed resulting in corrupted memory and an immediate crash. Resolution This patch corrects the evaluation of the message length indicator, ensuring that the message decoding loop will stop at the end of the received message. Thanks to Jan Juergens for finding, reporting, testing, and providing a fix for this problem. Affected Versions Product Release Series Asterisk Open Source1.8.x All Versions Asterisk Open Source10.x All Versions Asterisk with Digiumphones 10.x-digiumphonesAll Versions Asterisk Open Source11.x All Versions Certified Asterisk 1.8.x All Versions Certified Asterisk 11.x All Versions Corrected In Product Release Asterisk Open Source 1.8.24.1, 10.12.4, 11.6.1 Asterisk with Digiumphones 10.12.4-digiumphones Certified Asterisk1.8.15-cert4, 11.2-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2013-006-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2013-006-10.diff Asterisk 10 http://downloads.asterisk.org/pub/security/AST-2013-006-10-digiumphones.diff Asterisk 10-digiumphones http://downloads.asterisk.org/pub/security/AST-2013-006-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2013-006-1.8.15.diff Certified Asterisk 1.8.15 http://downloads.asterisk.org/pub/security/AST-2013-006-11.2.diff Certified Asterisk 11.2 Links https://issues.asterisk.org/jira/browse/ASTERISK-22590 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2013-006.pdf and http://downloads.digium.com/pub/security/AST-2013-006.html Revision History Date Editor Revisions Made 12/16/2013 Scott Griepentrog Initial Revision Asterisk Project Security Advisory - AST-2013-006 Copyright (c) 2013 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its
[asterisk-users] AST-2013-007: Asterisk Manager User Dialplan Permission Escalation
Asterisk Project Security Advisory - AST-2013-007 ProductAsterisk SummaryAsterisk Manager User Dialplan Permission Escalation Nature of Advisory Permission Escalation SusceptibilityRemote Authenticated Sessions Severity Minor Exploits KnownNone Reported On November 25, 2013 Reported By Matt Jordan Posted On December 16, 2013 Last Updated OnDecember 16, 2013 Advisory Contact David Lee dlee AT digium DOT com CVE Name Pending Description External control protocols, such as the Asterisk Manager Interface, often have the ability to get and set channel variables; this allows the execution of dialplan functions. Dialplan functions within Asterisk are incredibly powerful, which is wonderful for building applications using Asterisk. But during the read or write execution, certain diaplan functions do much more. For example, reading the SHELL() function can execute arbitrary commands on the system Asterisk is running on. Writing to the FILE() function can change any file that Asterisk has write access to. When these functions are executed from an external protocol, that execution could result in a privilege escalation. Resolution Asterisk can now inhibit the execution of these functions from external interfaces such as AMI, if live_dangerously in the [options] section of asterisk.conf is set to no. For backwards compatibility, live_dangerously defaults to yes, and must be explicitly set to no to enable this privilege escalation protection. Affected Versions Product Release Series Asterisk Open Source1.8.x All Versions Asterisk Open Source10.x All Versions Asterisk with Digiumphones 10.x-digiumphonesAll Versions Asterisk Open Source11.x All Versions Certified Asterisk 1.8.x All Versions Certified Asterisk 11.x All Versions Corrected In Product Release Asterisk Open Source 1.8.24.1, 10.12.4, 11.6.1 Asterisk with Digiumphones 10.12.4-digiumphones Certified Asterisk1.8.15-cert4, 11.2-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2013-007-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2013-007-10.diff Asterisk 10 http://downloads.asterisk.org/pub/security/AST-2013-007-10-digiumphones.diff Asterisk 10-digiumphones http://downloads.asterisk.org/pub/security/AST-2013-007-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2013-007-1.8.15.diff Certified Asterisk 1.8.15 http://downloads.asterisk.org/pub/security/AST-2013-007-11.2.diff Certified Asterisk 11.2 Links https://issues.asterisk.org/jira/browse/ASTERISK-22905 Asterisk Project Security
[asterisk-users] AST-2013-004: Remote Crash From Late Arriving SIP ACK With SDP
Asterisk Project Security Advisory - AST-2013-004 Product Asterisk Summary Remote Crash From Late Arriving SIP ACK With SDP Nature of Advisory Remote Crash Susceptibility Remote Unauthenticated Sessions SeverityMajor Exploits Known None Reported On February 11, 2013 Reported By Colin Cuthbertson Posted OnAugust 27, 2013 Last Updated On August 27, 2013 Advisory ContactJoshua Colp jcolp AT digium DOT com CVE NamePending Description A remotely exploitable crash vulnerability exists in the SIP channel driver if an ACK with SDP is received after the channel has been terminated. The handling code incorrectly assumes that the channel will always be present. Resolution A check has now been added which only parses SDP and applies it if an Asterisk channel is present. Note that Walter Doekes, OSSO B.V., is responsible for diagnosing and providing the fix for this issue. Affected Versions Product Release Series Asterisk Open Source 1.8.x 1.8.17.0 and above Asterisk Open Source 11.x All versions Certified Asterisk 1.8.15 All versions Certified Asterisk11.2 All versions Corrected In Product Release Asterisk Open Source 1.8.23.1, 11.5.1 Certified Asterisk1.8.15-cert3, 11.2-cert2 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2013-004-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2013-004-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2013-004-1.8.15-cert.diff Certified Asterisk 1.8.15 http://downloads.asterisk.org/pub/security/AST-2013-004-11.2-cert.diff Certified Asterisk 11.1 Links https://issues.asterisk.org/jira/browse/ASTERISK-21064 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2013-004.pdf and http://downloads.digium.com/pub/security/AST-2013-004.html Revision History Date Editor Revisions Made 2013-08-22 Joshua Colp Initial revision. Asterisk Project Security Advisory - AST-2013-004 Copyright (c) 2013 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2013-005: Remote Crash when Invalid SDP is sent in SIP Request
Asterisk Project Security Advisory - AST-2013-005 ProductAsterisk SummaryRemote Crash when Invalid SDP is sent in SIP Request Nature of Advisory Remote Crash SusceptibilityRemote Unauthenticated Sessions Severity Major Exploits KnownNone Reported On July 03, 2013 Reported By Walter Doekes, OSSO B.V. Posted On August 27, 2013 Last Updated OnAugust 27, 2013 Advisory Contact Matthew Jordan mjordan AT digium DOT com CVE Name Pending Description A remotely exploitable crash vulnerability exists in the SIP channel driver if an invalid SDP is sent in a SIP request that defines media descriptions before connection information. The handling code incorrectly attempts to reference the socket address information even though that information has not yet been set. Resolution This patch adds checks when handling the various media descriptions that ensures the media descriptions are handled only if we have connection information suitable for that media. Thanks to Walter Doekes of OSSO B.V. for finding, reporting, testing, and providing the fix for this problem. Affected Versions ProductRelease Series Asterisk Open Source 1.8.xAll Versions Asterisk Open Source 10.x All Versions Asterisk Open Source 11.x All Versions Certified Asterisk 1.8.15All Versions Certified Asterisk11.2 All Versions Asterisk with Digiumphones 10.x-digiumphones All Versions Corrected In Product Release Asterisk Open Source 1.8.23.1, 10.12.3, 11.5.1 Certified Asterisk1.8.15-cert3, 11.2-cert2 Asterisk with Digiumphones 10.12.3-digiumphones Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2013-005-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2013-005-10.diff Asterisk 10 http://downloads.asterisk.org/pub/security/AST-2013-005-10-digiumphones.diff Asterisk 10-digiumphones http://downloads.asterisk.org/pub/security/AST-2013-005-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2013-005-1.8.15.diff Certified Asterisk 1.8.15 http://downloads.asterisk.org/pub/security/AST-2013-005-11.2.diff Certified Asterisk 11.2 Links https://issues.asterisk.org/jira/browse/ASTERISK-22007 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2013-005.pdf and http://downloads.digium.com/pub/security/AST-2013-005.html Revision History Date Editor Revisions Made 2013-08-27 Matt Jordan Initial Revision Asterisk Project Security Advisory - AST-2013-005 Copyright (c) 2013 Digium, Inc. All Rights Reserved.
[asterisk-users] AST-2013-001: Buffer Overflow Exploit Through SIP SDP Header
Asterisk Project Security Advisory - AST-2013-001 Product Asterisk Summary Buffer Overflow Exploit Through SIP SDP Header Nature of Advisory Exploitable Stack Buffer Overflow Susceptibility Remote Unauthenticated Sessions SeverityMajor Exploits Known No Reported On 6 January, 2013 Reported By Ulf Ha:rnhammar Posted On27 March, 2013 Last Updated On March 27, 2013 Advisory ContactJonathan Rose jrose AT digium DOT com CVE NameCVE-2013-2685 Description The format attribute resource for h264 video performs an unsafe read against a media attribute when parsing the SDP. The vulnerable parameter can be received as strings of an arbitrary length and Asterisk attempts to read them into limited buffer spaces without applying a limit to the number of characters read. If a message is formed improperly, this could lead to an attacker being able to execute arbitrary code remotely. Resolution Attempts to read string data into the buffers noted are now explicitly limited by the size of the buffers. Affected Versions Product Release Series Asterisk Open Source 11.x All Versions Corrected In Product Release Asterisk Open Source11.2.2 Patches SVN URL Revision Http://downloads.asterisk.org/pub/security/AST-2013-001-11.diff Asterisk 11 Links https://issues.asterisk.org/jira/browse/ASTERISK-20901 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2013-001.pdf and http://downloads.digium.com/pub/security/AST-2013-001.html Revision History Date Editor Revisions Made February 11, 2013 Jonathan Rose Initial Draft March 27, 2013 Matt Jordan CVE Added Asterisk Project Security Advisory - AST-2013-001 Copyright (c) 2013 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2013-002: Denial of Service in HTTP server
Asterisk Project Security Advisory - AST-2013-002 Product Asterisk Summary Denial of Service in HTTP server Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated Sessions SeverityMajor Exploits Known None Reported On January 21, 2013 Reported By Christoph Hebeisen, TELUS Security Labs Posted OnMarch 27, 2013 Last Updated On March 27, 2013 Advisory ContactMark Michelson mmichelson AT digium DOT com CVE NameCVE-2013-2686 Description AST-2012-014 [1], fixed in January of this year, contained a fix for Asterisk's HTTP server since it was susceptible to a remotely-triggered crash. The fix put in place fixed the possibility for the crash to be triggered, but a possible denial of service still exists if an attacker sends one or more HTTP POST requests with very large Content-Length values. [1] http://downloads.asterisk.org/pub/security/AST-2012-014.html Resolution Content-Length is now capped at a maximum value of 1024 bytes. Any attempt to send an HTTP POST with content-length greater than this cap will not result in any memory allocated. The POST will be responded to with an HTTP 413 Request Entity Too Large response. Affected Versions Product Release Series Asterisk Open Source 1.8.x1.8.19.1, 1.8.20.0, 1.8.20.1 Asterisk Open Source 10.x 10.11.1, 10.12.0, 10.12.1 Asterisk Open Source 11.x 11.1.2, 11.2.0, 11.2.1 Certified Asterisk 1.8.151.8.15-cert1 Asterisk Digiumphones 10.x-digiumphones 10.11.1-digiumphones, 10.12.0-digiumphones, 10.12.1-digiumphones Corrected In Product Release Asterisk Open Source 1.8.20.2, 10.12.2, 11.2.2 Certified Asterisk 1.8.15-cert2 Asterisk Digiumphones10.12.2-digiumphones Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-014-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2012-014-10.diff Asterisk 10 http://downloads.asterisk.org/pub/security/AST-2012-014-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2012-014-1.8.15-cert.diff Certified Asterisk 1.8.15 ++ | Links | https://issues.asterisk.org/jira/browse/ASTERISK-20967 | | | http://telussecuritylabs.com/threats/show/TSL20130327-01| ++ Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2013-002.pdf and
[asterisk-users] AST-2013-003: Username disclosure in SIP channel driver
Asterisk Project Security Advisory - AST-2013-003 Product Asterisk Summary Username disclosure in SIP channel driver Nature of Advisory Unauthorized data disclosure Susceptibility Remote Unauthenticated Sessions SeverityModerate Exploits Known No Reported On January 30, 2013 Reported By Walter Doekes, OSSO B.V. Posted OnFebruary 21, 2013 Last Updated On March 27, 2013 Advisory ContactKinsey Moore kmo...@digium.com CVE NameCVE-2013-2264 Description When authenticating via SIP with alwaysauthreject enabled, allowguest disabled, and autocreatepeer disabled, Asterisk discloses whether a user exists for INVITE, SUBSCRIBE, and REGISTER transactions in multiple ways. This information was disclosed: * when a 407 Proxy Authentication Required response was sent instead of 401 Unauthorized response. * due to the presence or absence of additional tags at the end of 403 Forbidden such as (Bad auth). * when a 401 Unauthorized response was sent instead of 403 Forbidden response after a retransmission. * when retransmissions were sent when a matching peer did not exist, but were not when a matching peer did exist. Resolution This issue can only be mitigated by upgrading to versions of Asterisk that contain the patch or applying the patch. Affected Versions ProductRelease Series Asterisk Open Source 1.8.xAll Versions Asterisk Open Source 10.x All Versions Asterisk Open Source 11.x All Versions Certified Asterisk 1.8.15All Versions Asterisk Business EditionC.3.xAll Versions Asterisk Digiumphones10.x-digiumphones All Versions Corrected In Product Release Asterisk Open Source 1.8.20.2, 10.12.2, 11.2.2 Asterisk Digiumphones10.12.2-digiumphones Certified Asterisk 1.8.15-cert2 Asterisk Business Edition C.3.8.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2013-003-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2013-003-10.diff Asterisk 10 http://downloads.asterisk.org/pub/security/AST-2013-003-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2013-003-1.8.15-cert.diff Certified Asterisk 1.8.15 http://downloads.asterisk.org/pub/security/AST-2013-003-C.3.diff Asterisk BE C.3 Links https://issues.asterisk.org/jira/browse/ASTERISK-21013 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security
[asterisk-users] AST-2012-014: Crashes due to large stack allocations when using TCP
Asterisk Project Security Advisory - AST-2012-014 ProductAsterisk SummaryCrashes due to large stack allocations when using TCP Nature of Advisory Stack Overflow SusceptibilityRemote Unauthenticated Sessions (SIP) Remote Authenticated Sessions (XMPP, HTTP) Severity Critical Exploits KnownNo Reported On 7 November, 2012 Reported By Walter Doekes Posted On 2 January, 2013 Last Updated OnJanuary 2, 2013 Advisory Contact Mark Michelson mmichelson AT digium DOT com CVE Name CVE-2012-5976 Description Asterisk has several places where messages received over various network transports may be copied in a single stack allocation. In the case of TCP, since multiple packets in a stream may be concatenated together, this can lead to large allocations that overflow the stack. In the case of SIP, it is possible to do this before a session is established. Keep in mind that SIP over UDP is not affected by this vulnerability. With HTTP and XMPP, a session must first be established before the vulnerability may be exploited. The XMPP vulnerability exists both in the res_jabber.so module in Asterisk 1.8, 10, and 11 as well as the res_xmpp.so module in Asterisk 11. Resolution Stack allocations when using TCP have either been eliminated in favor of heap allocations or have had an upper bound placed on them to ensure that the stack will not overflow. For SIP, the allocation now has an upper limit. For HTTP, the allocation is now a heap allocation instead of a stack allocation. For XMPP, the allocation has been eliminated since it was unnecessary. Affected Versions Product Release Series Asterisk Open Source 1.8.xAll versions Asterisk Open Source 10.x All versions Asterisk Open Source 11.x All versions Certified Asterisk 1.8.11SIP: unaffected HTTP and XMPP: All versions Asterisk Digiumphones 10.x-digiumphones All versions Corrected In Product Release Asterisk Open Source 1.8.19.1, 10.11.1, 11.1.1 Certified Asterisk 1.8.11-cert10 Asterisk Digiumphones10.11.1-digiumphones Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-014-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2012-014-10.diff Asterisk 10 http://downloads.asterisk.org/pub/security/AST-2012-014-11.diff Asterisk 11 Links
[asterisk-users] AST-2012-015: Denial of Service Through Exploitation of Device State Caching
Asterisk Project Security Advisory - AST-2012-015 ProductAsterisk SummaryDenial of Service Through Exploitation of Device State Caching Nature of Advisory Denial of Service SusceptibilityRemote Unauthenticated Sessions Severity Critical Exploits KnownNone Reported On 26 July, 2012 Reported By Russell Bryant Posted On 2 January, 2013 Last Updated OnJanuary 2, 2013 Advisory Contact Matt Jordan mjordan AT digium DOT com CVE Name CVE-2012-5977 Description Asterisk maintains an internal cache for devices. The device state cache holds the state of each device known to Asterisk, such that consumers of device state information can query for the last known state for a particular device, even if it is not part of an active call. The concept of a device in Asterisk can include things that do not have a physical representation. One way that this currently occurs is when anonymous calls are allowed in Asterisk. A device is automatically created and stored in the cache for each anonymous call that occurs; this is possible in the SIP and IAX2 channel drivers and through channel drivers that utilize the res_jabber/res_xmpp resource modules (Gtalk, Jingle, and Motif). Attackers exploiting this vulnerability can attack an Asterisk system configured to allow anonymous calls by varying the source of the anonymous call, continually adding devices to the device state cache and consuming a system's resources. Resolution Channels that are not associated with a physical device are no longer stored in the device state cache. This affects Local, DAHDI, SIP and IAX2 channels, and any channel drivers built on the res_jabber/res_xmpp resource modules (Gtalk, Jingle, and Motif). Affected Versions Product Release Series Asterisk Open Source 1.8.xAll Versions Asterisk Open Source 10.x All Versions Asterisk Open Source 11.x All Versions Certified Asterisk 1.8.11All Versions Asterisk Digiumphones 10.x-digiumphones All Versions Corrected In Product Release Asterisk Open Source 1.8.19.1, 10.11.1, 11.1.1 Certified Asterisk 1.8.11-cert10 Asterisk Digiumphones10.11.1-digiumphones Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-015-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2012-015-10.diff Asterisk 10 http://downloads.asterisk.org/pub/security/AST-2012-015-11.diff Asterisk 11 Links https://issues.asterisk.org/jira/browse/ASTERISK-20175 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-015.pdf and http://downloads.digium.com/pub/security/AST-2012-015.html Revision
[asterisk-users] AST-2012-012: Asterisk Manager User Unauthorized Shell Access
Asterisk Project Security Advisory - AST-2012-012 Product Asterisk Summary Asterisk Manager User Unauthorized Shell Access Nature of Advisory Permission Escalation Susceptibility Remote Authenticated Sessions SeverityMinor Exploits Known No Reported On July 13, 2012 Reported By Zubair Ashraf of IBM X-Force Research Posted OnAugust 30, 2012 Last Updated On August 30, 2012 Advisory ContactMatt Jordan mjordan AT digium DOT com CVE NameCVE-2012-2186 Description The AMI Originate action can allow a remote user to specify information that can be used to execute shell commands on the system hosting Asterisk. This can result in an unwanted escalation of permissions, as the Originate action, which requires the originate class authorization, can be used to perform actions that would typically require the system class authorization. Previous attempts to prevent this permission escalation (AST-2011-006, AST-2012-004) have sought to do so by inspecting the names of applications and functions passed in with the Originate action and, if those applications/functions matched a predefined set of values, rejecting the command if the user lacked the system class authorization. As reported by IBM X-Force Research, the ExternalIVR application is not listed in the predefined set of values. The solution for this particular vulnerability is to include the ExternalIVR application in the set of defined applications/functions that require system class authorization. Unfortunately, the approach of inspecting fields in the Originate action against known applications/functions has a significant flaw. The predefined set of values can be bypassed by creative use of the Originate action or by certain dialplan configurations, which is beyond the ability of Asterisk to analyze at run-time. Attempting to work around these scenarios would result in severely restricting the applications or functions and prevent their usage for legitimate means. As such, any additional security vulnerabilities, where an application/function that would normally require the system class authorization can be executed by users with the originate class authorization, will not be addressed. Instead, the README-SERIOUSLY.bestpractices.txt file has been updated to reflect that the AMI Originate action can result in commands requiring the system class authorization to be executed. Proper system configuration can limit the impact of such scenarios. The next release of each version of Asterisk will contain, in addition to the fix for the ExternalIVR application, an updated README-SERIOUSLY.bestpractices.txt file. Resolution Asterisk now checks for the ExternalIVR application when processing the Originate action. Additionally, the README-SERIOUSLY.bestpractices.txt file has been updated. It is highly recommended that, if AMI is utilized with accounts that have the originate class authorization, Asterisk is run under a defined user that does not have root permissions. Accounts with the originate class authorization should be
[asterisk-users] AST-2012-013: ACL rules ignored when placing outbound calls by certain IAX2 users
Asterisk Project Security Advisory - AST-2012-013 ProductAsterisk SummaryACL rules ignored when placing outbound calls by certain IAX2 users Nature of Advisory Unauthorized use of system SusceptibilityRemote Authenticated Sessions Severity Moderate Exploits KnownNone Reported On 07/27/2012 Reported By Alan Frisch Posted On 08/30/2012 Last Updated OnAugust 30, 2012 Advisory Contact Matt Jordan mjordan AT digium DOT com CVE Name CVE-2012-4737 Description When an IAX2 call is made using the credentials of a peer defined in a dynamic Asterisk Realtime Architecture (ARA) backend, the ACL rules for that peer are not applied to the call attempt. This allows for a remote attacker who is aware of a peer's credentials to bypass the ACL rules set for that peer. Resolution The ACL rules for peers defined in an ARA backend are now honored. Users of chan_iax2 should upgrade to the corrected versions; apply a provided patch; or define their IAX2 peers outside of an ARA backend in a static configuration file. Affected Versions ProductRelease Series Asterisk Open Source 1.8.x All versions Asterisk Open Source 10.x All versions Certified Asterisk 1.8.11 All versions Asterisk Digiumphones 10.x.x-digiumphones All versions Asterisk Business EditionC.3.x All versions Corrected In Product Release Asterisk Open Source 1.8.15.1, 10.7.1 Certified Asterisk 1.8.11-cert7 Asterisk Digiumphones 10.7.1-digiumphones Asterisk Business Edition C.3.7.6 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-013.1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2012-013.10.diff Asterisk 10 Links https://issues.asterisk.org/jira/browse/ASTERISK-20186 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-013.pdf and http://downloads.digium.com/pub/security/AST-2012-013.html Revision History Date Editor Revisions Made 08/27/2012 Matt Jordan Initial Revision Asterisk Project Security Advisory - AST-2012-013 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2012-009: Skinny Channel Driver Remote Crash Vulnerability
Asterisk Project Security Advisory - AST-2012-009 Product Asterisk Summary Skinny Channel Driver Remote Crash Vulnerability Nature of Advisory Denial of Service Susceptibility Remote authenticated sessions SeverityMinor Exploits Known No Reported On May 30, 2012 Reported By Christoph Hebeisen, TELUS Security Labs Posted OnJune 14, 2012 Last Updated On June 14, 2012 Advisory ContactMatt Jordan mjordan AT digium DOT com CVE NameCVE-2012-3553 Description AST-2012-008 previously dealt with a denial of service attack exploitable in the Skinny channel driver that occurred when certain messages are sent after a previously registered station sends an Off Hook message. Unresolved in that patch is an issue in the Asterisk 10 releases, wherein, if a Station Key Pad Button Message is processed after an Off Hook message, the channel driver will inappropriately dereference a Null pointer. Similar to AST-2012-008, a remote attacker with a valid SCCP ID can can use this vulnerability by closing a connection to the Asterisk server when a station is in the Off Hook call state and crash the server. Resolution The presence of a device for a line is now checked in the appropriate channel callbacks, preventing the crash. Affected Versions Product Release Series Asterisk Open Source 10.x All Versions Corrected In Product Release Asterisk Open Source10.5.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-009-10.diff v10 Links https://issues.asterisk.org/jira/browse/ASTERISK-19905 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-009.pdf and http://downloads.digium.com/pub/security/AST-2012-009.html Revision History Date Editor Revisions Made 06/14/2012 Matt Jordan Initial Release Asterisk Project Security Advisory - AST-2012-009 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2012-007: Remote crash vulnerability in IAX2 channel driver.
Asterisk Project Security Advisory - AST-2012-007 ProductAsterisk SummaryRemote crash vulnerability in IAX2 channel driver. Nature of Advisory Remote crash Susceptibility Established calls SeverityModerate Exploits Known No Reported On March 21, 2012 Reported By mgrobecker Posted On May 29, 2012 Last Updated OnMay 29, 2012 Advisory ContactRichard Mudgett rmudgett AT digium DOT com CVE NameCVE-2012-2947 Description A remotely exploitable crash vulnerability exists in the IAX2 channel driver if an established call is placed on hold without a suggested music class. For this to occur, the following must take place: 1. The setting mohinterpret=passthrough must be set on the end placing the call on hold. 2. A call must be established. 3. The call is placed on hold without a suggested music-on-hold class name. When these conditions are true, Asterisk will attempt to use an invalid pointer to a music-on-hold class name. Use of the invalid pointer will either cause a crash or the music-on-hold class name will be garbage. Resolution Asterisk now sets the extra data parameter to null if the received control frame does not have any extra data. Affected Versions Product Release Series Certified Asterisk 1.8.11-certAll versions Asterisk Open Source1.8.x All versions Asterisk Open Source 10.x All versions Corrected In Product Release Certified Asterisk 1.8.11-cert2 Asterisk Open Source 1.8.12.1, 10.4.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-007-1.8.11-cert.diff v1.8.11-cert http://downloads.asterisk.org/pub/security/AST-2012-007-1.8.diff v1.8 http://downloads.asterisk.org/pub/security/AST-2012-007-10.diff v10 Links https://issues.asterisk.org/jira/browse/ASTERISK-19597 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-007.pdf and http://downloads.digium.com/pub/security/AST-2012-007.html Revision History Date Editor Revisions Made 05/29/2012 Richard Mudgett Initial release. Asterisk Project Security Advisory - AST-2012-007 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options
[asterisk-users] AST-2012-008: Skinny Channel Driver Remote Crash Vulnerability
Asterisk Project Security Advisory - AST-2012-008 Product Asterisk Summary Skinny Channel Driver Remote Crash Vulnerability Nature of Advisory Denial of Service Susceptibility Remote authenticated sessions SeverityMinor Exploits Known No Reported On May 22, 2012 Reported By Christoph Hebeisen Posted OnMay 29, 2012 Last Updated On May 29, 2012 Advisory ContactMatt Jordan mjordan AT digium DOT com CVE NameCVE-2012-2948 Description As reported by Telus Labs: A Null-pointer dereference has been identified in the SCCP (Skinny) channel driver of Asterisk. When an SCCP client closes its connection to the server, a pointer in a structure is set to Null. If the client was not in the on-hook state at the time the connection was closed, this pointer is later dereferenced. A remote attacker with a valid SCCP ID can can use this vulnerability by closing a connection to the Asterisk server in certain call states (e.g. Off hook) to crash the server. Successful exploitation of this vulnerability would result in termination of the server, causing denial of service to legitimate users. Resolution The pointer to the device in the structure is now checked before it is dereferenced in the channel event callbacks and message handling functions. Affected Versions Product Release Series Asterisk Open Source1.8.x All Versions Asterisk Open Source 10.x All Versions Certified Asterisk 1.8.11-cert1.8.11-cert1 Corrected In Product Release Asterisk Open Source 1.8.12.1, 10.4.1 Certified Asterisk 1.8.11-cert2 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-008-1.8.diff v1.8 http://downloads.asterisk.org/pub/security/AST-2012-008-10.diff v10 http://downloads.asterisk.org/pub/security/AST-2012-008-1.8.11-cert.diff v1.8.11-cert Links https://issues.asterisk.org/jira/browse/ASTERISK-19905 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-008.pdf and http://downloads.digium.com/pub/security/AST-2012-008.html Revision History Date Editor Revisions Made 05/25/2012 Matt Jordan Initial Release Asterisk Project Security Advisory - AST-2012-008 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AST-2012-004: Asterisk Manager User Unauthorized Shell Access
Asterisk Project Security Advisory - AST-2012-004 Product Asterisk Summary Asterisk Manager User Unauthorized Shell Access Nature of Advisory Permission Escalation Susceptibility Remote Authenticated Sessions SeverityMinor Exploits Known No Reported On February 23, 2011 Reported By David Woolley Posted OnApril 23, 2012 Last Updated On April 23, 2012 Advisory ContactJonathan Rose jrose AT digium DOT com CVE Name Description A user of the Asterisk Manager Interface can bypass a security check and execute shell commands when they lack permission to do so. Under normal conditions, a user should only be able to run shell commands if that user has System class authorization. Users could bypass this restriction by using the MixMonitor application with the originate action or by using either the GetVar or Status manager actions in combination with the SHELL and EVAL functions. The patch adds checks in each affected action to verify if a user has System class authorization. If the user does not have those authorizations, Asterisk rejects the action if it detects the use of any functions or applications that run system commands. Resolution Asterisk now performs checks against manager commands that cause these behaviors for each of the affected actions. Affected Versions Product Release Series Asterisk Open Source1.6.2.x All versions Asterisk Open Source 1.8.x All versions Asterisk Open Source 10.x All versions Asterisk Business Edition C.3.x All versions Corrected In Product Release Asterisk Open Source 1.6.2.24, 1.8.11.1, 10.3.1 Asterisk Business Edition C.3.7.4 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-004-1.6.2.diff v1.6.2 http://downloads.asterisk.org/pub/security/AST-2012-004-1.8.diff v1.8 http://downloads.asterisk.org/pub/security/AST-2012-004-10.diffv10 Links https://issues.asterisk.org/jira/browse/ASTERISK-17465 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-004.pdf and http://downloads.digium.com/pub/security/AST-2012-004.html Revision History Date Editor Revisions Made 04/23/2012 Jonathan Rose Initial Release Asterisk Project Security Advisory - AST-2012-004 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
