[Full-disclosure] AST-2014-004: Remote Crash Vulnerability in PJSIP Channel Driver Subscription Handling
Asterisk Project Security Advisory - AST-2014-004 ProductAsterisk SummaryRemote Crash Vulnerability in PJSIP Channel Driver Subscription Handling Nature of Advisory Denial of Service SusceptibilityRemote Authenticated Sessions Severity Moderate Exploits KnownNo Reported On January 14th, 2014 Reported By Mark Michelson Posted On March 10, 2014 Last Updated OnMarch 10, 2014 Advisory Contact Matt Jordan CVE Name CVE-2014-2289 Description A remotely exploitable crash vulnerability exists in the PJSIP channel driver's handling of SUBSCRIBE requests. If a SUBSCRIBE request is received for the presence Event, and that request has no Accept headers, Asterisk will attempt to access an invalid pointer to the header location. Note that this issue was fixed during a re-architecture of the res_pjsip_pubsub module in Asterisk 12.1.0. As such, this issue has already been resolved in a released version of Asterisk. This notification is being released for users of Asterisk 12.0.0. Resolution Upgrade to Asterisk 12.1.0, or apply the patch noted below to Asterisk 12.0.0. Affected Versions Product Release Series Asterisk Open Source 12.x 12.0.0 Corrected In Product Release Asterisk Open Source12.1.0 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-004-12.diff Asterisk 12 Links https://issues.asterisk.org/jira/browse/ASTERISK-23139 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2014-004.pdf and http://downloads.digium.com/pub/security/AST-2014-004.html Revision History Date Editor Revisions Made 03/05/14 Matt Jordan Initial Revision Asterisk Project Security Advisory - AST-2014-004 Copyright (c) 2014 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AST-2014-002: Denial of Service Through File Descriptor Exhaustion with chan_sip Session-Timers
Asterisk Project Security Advisory - AST-2014-002 ProductAsterisk SummaryDenial of Service Through File Descriptor Exhaustion with chan_sip Session-Timers Nature of Advisory Denial of Service SusceptibilityRemote Authenticated or Anonymous Sessions Severity Moderate Exploits KnownNo Reported On 2014/02/25 Reported By Corey Farrell Posted On March 10, 2014 Last Updated OnMarch 10, 2014 Advisory Contact Kinsey Moore CVE Name CVE-2014-2287 Description An attacker can use all available file descriptors using SIP INVITE requests. Knowledge required to achieve the attack: * Valid account credentials or anonymous dial in * A valid extension that can be dialed from the SIP account Trigger conditions: * chan_sip configured with "session-timers" set to "originate" or "accept" ** The INVITE request must contain either a Session-Expires or a Min-SE header with malformed values or values disallowed by the system's configuration. * chan_sip configured with "session-timers" set to "refuse" ** The INVITE request must offer "timer" in the "Supported" header Asterisk will respond with code 400, 420, or 422 for INVITEs meeting this criteria. Each INVITE meeting these conditions will leak a channel and several file descriptors. The file descriptors cannot be released without restarting Asterisk which may allow intrusion detection systems to be bypassed by sending the requests slowly. Resolution Upgrade to a version with the patch integrated or apply the appropriate patch. Affected Versions Product Release Series Asterisk Open Source 1.8.x All Asterisk Open Source 11.x All Asterisk Open Source 12.x All Certified Asterisk 1.8.15 All Certified Asterisk 11.6 All Corrected In Product Release Asterisk Open Source 1.8.x1.8.26.1 Asterisk Open Source 11.x 11.8.1 Asterisk Open Source 12.x 12.1.1 Certified Asterisk 1.8.15 1.8.15-cert5 Certified Asterisk 11.6 11.6-cert2 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-002-1.8.diffAsterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2014-
[Full-disclosure] AST-2014-003: Remote Crash Vulnerability in PJSIP channel driver
Asterisk Project Security Advisory - AST-2014-003 ProductAsterisk SummaryRemote Crash Vulnerability in PJSIP channel driver Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated Sessions SeverityModerate Exploits Known No Reported On January 29, 2014 Reported By Joshua Colp Posted On March 10, 2014 Last Updated OnMarch 10, 2014 Advisory ContactJoshua Colp CVE NameCVE-2014-2288 Description A remotely exploitable crash vulnerability exists in the PJSIP channel driver if the "qualify_frequency" configuration option is enabled on an AOR and the remote SIP server challenges for authentication of the resulting OPTIONS request. The response handling code wrongly assumes that a PJSIP endpoint will always be associated with an outgoing request which is incorrect. Resolution This patch adds a check when handling responses challenging for authentication. If no endpoint is associated with the request no retry with authentication will occur. Affected Versions Product Release Series Asterisk Open Source 12.x All Corrected In Product Release Asterisk Open Source 12.x 12.1.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-003-12.diff Asterisk 12 Links https://issues.asterisk.org/jira/browse/ASTERISK-23210 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2014-003.pdf and http://downloads.digium.com/pub/security/AST-2014-003.html Revision History Date Editor Revisions Made 03/05/14 Joshua Colp Document Creation Asterisk Project Security Advisory - AST-2014-003 Copyright (c) 2014 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AST-2014-001: Stack Overflow in HTTP Processing of Cookie Headers.
Asterisk Project Security Advisory - AST-2014-001 ProductAsterisk SummaryStack Overflow in HTTP Processing of Cookie Headers. Nature of Advisory Denial Of Service SusceptibilityRemote Unauthenticated Sessions Severity Moderate Exploits KnownNo Reported On February 21, 2014 Reported By Lucas Molas, researcher at Programa STIC, Fundacion Dr. Manuel Sadosky, Buenos Aires, Argentina Posted On March 10, 2014 Last Updated OnMarch 10, 2014 Advisory Contact Richard Mudgett CVE Name CVE-2014-2286 Description Sending a HTTP request that is handled by Asterisk with a large number of Cookie headers could overflow the stack. You could even exhaust memory if you sent an unlimited number of headers in the request. Resolution The patched versions now handle headers in a fashion that prevents a stack overflow. Users should upgrade to a corrected version, apply the released patches, or disable HTTP support. Affected Versions Product Release Series Asterisk Open Source1.8.x All versions Asterisk Open Source 11.x All versions Asterisk Open Source 12.x All versions Certified Asterisk 1.8.x All versions Certified Asterisk 11.x All versions Corrected In Product Release Asterisk Open Source 1.8.26.1, 11.8.1, 12.1.1 Certified Asterisk1.8.15-cert5, 11.6-cert2 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-001-1.8.diffAsterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2014-001-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2014-001-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2014-001-1.8.15.diff Certified Asterisk 1.8.15 http://downloads.asterisk.org/pub/security/AST-2014-001-11.6.diff Certified Asterisk 11.6 Links https://issues.asterisk.org/jira/browse/ASTERISK-23340 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2014-001.pdf and http://downloads.digium.com/pub/security/AST-2014-001.html Revision History Date Editor Revisions Made 03/10/14 Richard Mudgett Initial Revision. Asterisk Project Security Advisory - AST-2014-001 Copyright (c) 2014 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia
[Full-disclosure] AST-2013-007: Asterisk Manager User Dialplan Permission Escalation
Asterisk Project Security Advisory - AST-2013-007 ProductAsterisk SummaryAsterisk Manager User Dialplan Permission Escalation Nature of Advisory Permission Escalation SusceptibilityRemote Authenticated Sessions Severity Minor Exploits KnownNone Reported On November 25, 2013 Reported By Matt Jordan Posted On December 16, 2013 Last Updated OnDecember 16, 2013 Advisory Contact David Lee < dlee AT digium DOT com > CVE Name Pending Description External control protocols, such as the Asterisk Manager Interface, often have the ability to get and set channel variables; this allows the execution of dialplan functions. Dialplan functions within Asterisk are incredibly powerful, which is wonderful for building applications using Asterisk. But during the read or write execution, certain diaplan functions do much more. For example, reading the SHELL() function can execute arbitrary commands on the system Asterisk is running on. Writing to the FILE() function can change any file that Asterisk has write access to. When these functions are executed from an external protocol, that execution could result in a privilege escalation. Resolution Asterisk can now inhibit the execution of these functions from external interfaces such as AMI, if live_dangerously in the [options] section of asterisk.conf is set to no. For backwards compatibility, live_dangerously defaults to yes, and must be explicitly set to no to enable this privilege escalation protection. Affected Versions Product Release Series Asterisk Open Source1.8.x All Versions Asterisk Open Source10.x All Versions Asterisk with Digiumphones 10.x-digiumphonesAll Versions Asterisk Open Source11.x All Versions Certified Asterisk 1.8.x All Versions Certified Asterisk 11.x All Versions Corrected In Product Release Asterisk Open Source 1.8.24.1, 10.12.4, 11.6.1 Asterisk with Digiumphones 10.12.4-digiumphones Certified Asterisk1.8.15-cert4, 11.2-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2013-007-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2013-007-10.diff Asterisk 10 http://downloads.asterisk.org/pub/security/AST-2013-007-10-digiumphones.diff Asterisk 10-digiumphones http://downloads.asterisk.org/pub/security/AST-2013-007-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2013-007-1.8.15.diff Certified Asterisk 1.8.15 http://downloads.asterisk.org/pub/security/AST-2013-007-11.2.diff Certified Asterisk 11.2 Links https://issues.asterisk.org/jira/browse/ASTERISK-22905 Asterisk Project Securit
[Full-disclosure] AST-2013-006: Buffer Overflow when receiving odd length 16 bit SMS message
Asterisk Project Security Advisory - AST-2013-006 ProductAsterisk SummaryBuffer Overflow when receiving odd length 16 bit SMS message Nature of Advisory Buffer Overflow and Remote Crash SusceptibilityRemote SMS Messages Severity Major Exploits KnownNone Reported On September 26, 2013 Reported By Jan Juergens Posted On December 16, 2013 Last Updated OnDecember 16, 2013 Advisory Contact Scott Griepentrog CVE Name Pending Description A 16 bit SMS message that contains an odd message length value will cause the message decoding loop to run forever. The message buffer is not on the stack but will be overflowed resulting in corrupted memory and an immediate crash. Resolution This patch corrects the evaluation of the message length indicator, ensuring that the message decoding loop will stop at the end of the received message. Thanks to Jan Juergens for finding, reporting, testing, and providing a fix for this problem. Affected Versions Product Release Series Asterisk Open Source1.8.x All Versions Asterisk Open Source10.x All Versions Asterisk with Digiumphones 10.x-digiumphonesAll Versions Asterisk Open Source11.x All Versions Certified Asterisk 1.8.x All Versions Certified Asterisk 11.x All Versions Corrected In Product Release Asterisk Open Source 1.8.24.1, 10.12.4, 11.6.1 Asterisk with Digiumphones 10.12.4-digiumphones Certified Asterisk1.8.15-cert4, 11.2-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2013-006-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2013-006-10.diff Asterisk 10 http://downloads.asterisk.org/pub/security/AST-2013-006-10-digiumphones.diff Asterisk 10-digiumphones http://downloads.asterisk.org/pub/security/AST-2013-006-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2013-006-1.8.15.diff Certified Asterisk 1.8.15 http://downloads.asterisk.org/pub/security/AST-2013-006-11.2.diff Certified Asterisk 11.2 Links https://issues.asterisk.org/jira/browse/ASTERISK-22590 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2013-006.pdf and http://downloads.digium.com/pub/security/AST-2013-006.html Revision History Date Editor Revisions Made 12/16/2013 Scott Griepentrog Initial Revision Asterisk Project Security Advisory - AST-2013-006 Copyright (c) 2013 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original,
[Full-disclosure] AST-2013-005: Remote Crash when Invalid SDP is sent in SIP Request
Asterisk Project Security Advisory - AST-2013-005 ProductAsterisk SummaryRemote Crash when Invalid SDP is sent in SIP Request Nature of Advisory Remote Crash SusceptibilityRemote Unauthenticated Sessions Severity Major Exploits KnownNone Reported On July 03, 2013 Reported By Walter Doekes, OSSO B.V. Posted On August 27, 2013 Last Updated OnAugust 27, 2013 Advisory Contact Matthew Jordan CVE Name Pending Description A remotely exploitable crash vulnerability exists in the SIP channel driver if an invalid SDP is sent in a SIP request that defines media descriptions before connection information. The handling code incorrectly attempts to reference the socket address information even though that information has not yet been set. Resolution This patch adds checks when handling the various media descriptions that ensures the media descriptions are handled only if we have connection information suitable for that media. Thanks to Walter Doekes of OSSO B.V. for finding, reporting, testing, and providing the fix for this problem. Affected Versions ProductRelease Series Asterisk Open Source 1.8.xAll Versions Asterisk Open Source 10.x All Versions Asterisk Open Source 11.x All Versions Certified Asterisk 1.8.15All Versions Certified Asterisk11.2 All Versions Asterisk with Digiumphones 10.x-digiumphones All Versions Corrected In Product Release Asterisk Open Source 1.8.23.1, 10.12.3, 11.5.1 Certified Asterisk1.8.15-cert3, 11.2-cert2 Asterisk with Digiumphones 10.12.3-digiumphones Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2013-005-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2013-005-10.diff Asterisk 10 http://downloads.asterisk.org/pub/security/AST-2013-005-10-digiumphones.diff Asterisk 10-digiumphones http://downloads.asterisk.org/pub/security/AST-2013-005-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2013-005-1.8.15.diff Certified Asterisk 1.8.15 http://downloads.asterisk.org/pub/security/AST-2013-005-11.2.diff Certified Asterisk 11.2 Links https://issues.asterisk.org/jira/browse/ASTERISK-22007 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2013-005.pdf and http://downloads.digium.com/pub/security/AST-2013-005.html Revision History Date Editor Revisions Made 2013-08-27 Matt Jordan Initial Revision Asterisk Project Security Advisory - AST-2013-005 Copyright (c) 2013 Digium, Inc. All Rights Reserved. Permission is hereby granted t
[Full-disclosure] AST-2013-004: Remote Crash From Late Arriving SIP ACK With SDP
Asterisk Project Security Advisory - AST-2013-004 Product Asterisk Summary Remote Crash From Late Arriving SIP ACK With SDP Nature of Advisory Remote Crash Susceptibility Remote Unauthenticated Sessions SeverityMajor Exploits Known None Reported On February 11, 2013 Reported By Colin Cuthbertson Posted OnAugust 27, 2013 Last Updated On August 27, 2013 Advisory ContactJoshua Colp CVE NamePending Description A remotely exploitable crash vulnerability exists in the SIP channel driver if an ACK with SDP is received after the channel has been terminated. The handling code incorrectly assumes that the channel will always be present. Resolution A check has now been added which only parses SDP and applies it if an Asterisk channel is present. Note that Walter Doekes, OSSO B.V., is responsible for diagnosing and providing the fix for this issue. Affected Versions Product Release Series Asterisk Open Source 1.8.x 1.8.17.0 and above Asterisk Open Source 11.x All versions Certified Asterisk 1.8.15 All versions Certified Asterisk11.2 All versions Corrected In Product Release Asterisk Open Source 1.8.23.1, 11.5.1 Certified Asterisk1.8.15-cert3, 11.2-cert2 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2013-004-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2013-004-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2013-004-1.8.15-cert.diff Certified Asterisk 1.8.15 http://downloads.asterisk.org/pub/security/AST-2013-004-11.2-cert.diff Certified Asterisk 11.1 Links https://issues.asterisk.org/jira/browse/ASTERISK-21064 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2013-004.pdf and http://downloads.digium.com/pub/security/AST-2013-004.html Revision History Date Editor Revisions Made 2013-08-22 Joshua Colp Initial revision. Asterisk Project Security Advisory - AST-2013-004 Copyright (c) 2013 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AST-2013-003: Username disclosure in SIP channel driver
Asterisk Project Security Advisory - AST-2013-003 Product Asterisk Summary Username disclosure in SIP channel driver Nature of Advisory Unauthorized data disclosure Susceptibility Remote Unauthenticated Sessions SeverityModerate Exploits Known No Reported On January 30, 2013 Reported By Walter Doekes, OSSO B.V. Posted OnFebruary 21, 2013 Last Updated On March 27, 2013 Advisory ContactKinsey Moore CVE NameCVE-2013-2264 Description When authenticating via SIP with alwaysauthreject enabled, allowguest disabled, and autocreatepeer disabled, Asterisk discloses whether a user exists for INVITE, SUBSCRIBE, and REGISTER transactions in multiple ways. This information was disclosed: * when a "407 Proxy Authentication Required" response was sent instead of "401 Unauthorized" response. * due to the presence or absence of additional tags at the end of "403 Forbidden" such as "(Bad auth)". * when a "401 Unauthorized" response was sent instead of "403 Forbidden" response after a retransmission. * when retransmissions were sent when a matching peer did not exist, but were not when a matching peer did exist. Resolution This issue can only be mitigated by upgrading to versions of Asterisk that contain the patch or applying the patch. Affected Versions ProductRelease Series Asterisk Open Source 1.8.xAll Versions Asterisk Open Source 10.x All Versions Asterisk Open Source 11.x All Versions Certified Asterisk 1.8.15All Versions Asterisk Business EditionC.3.xAll Versions Asterisk Digiumphones10.x-digiumphones All Versions Corrected In Product Release Asterisk Open Source 1.8.20.2, 10.12.2, 11.2.2 Asterisk Digiumphones10.12.2-digiumphones Certified Asterisk 1.8.15-cert2 Asterisk Business Edition C.3.8.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2013-003-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2013-003-10.diff Asterisk 10 http://downloads.asterisk.org/pub/security/AST-2013-003-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2013-003-1.8.15-cert.diff Certified Asterisk 1.8.15 http://downloads.asterisk.org/pub/security/AST-2013-003-C.3.diff Asterisk BE C.3 Links https://issues.asterisk.org/jira/browse/ASTERISK-21013 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security
[Full-disclosure] AST-2013-002: Denial of Service in HTTP server
Asterisk Project Security Advisory - AST-2013-002 Product Asterisk Summary Denial of Service in HTTP server Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated Sessions SeverityMajor Exploits Known None Reported On January 21, 2013 Reported By Christoph Hebeisen, TELUS Security Labs Posted OnMarch 27, 2013 Last Updated On March 27, 2013 Advisory ContactMark Michelson CVE NameCVE-2013-2686 Description AST-2012-014 [1], fixed in January of this year, contained a fix for Asterisk's HTTP server since it was susceptible to a remotely-triggered crash. The fix put in place fixed the possibility for the crash to be triggered, but a possible denial of service still exists if an attacker sends one or more HTTP POST requests with very large Content-Length values. [1] http://downloads.asterisk.org/pub/security/AST-2012-014.html Resolution Content-Length is now capped at a maximum value of 1024 bytes. Any attempt to send an HTTP POST with content-length greater than this cap will not result in any memory allocated. The POST will be responded to with an HTTP 413 "Request Entity Too Large" response. Affected Versions Product Release Series Asterisk Open Source 1.8.x1.8.19.1, 1.8.20.0, 1.8.20.1 Asterisk Open Source 10.x 10.11.1, 10.12.0, 10.12.1 Asterisk Open Source 11.x 11.1.2, 11.2.0, 11.2.1 Certified Asterisk 1.8.151.8.15-cert1 Asterisk Digiumphones 10.x-digiumphones 10.11.1-digiumphones, 10.12.0-digiumphones, 10.12.1-digiumphones Corrected In Product Release Asterisk Open Source 1.8.20.2, 10.12.2, 11.2.2 Certified Asterisk 1.8.15-cert2 Asterisk Digiumphones10.12.2-digiumphones Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-014-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2012-014-10.diff Asterisk 10 http://downloads.asterisk.org/pub/security/AST-2012-014-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2012-014-1.8.15-cert.diff Certified Asterisk 1.8.15 ++ | Links | https://issues.asterisk.org/jira/browse/ASTERISK-20967 | | | http://telussecuritylabs.com/threats/show/TSL20130327-01| ++ Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2013-002.pdf and http://downloads.d
[Full-disclosure] AST-2013-001: Buffer Overflow Exploit Through SIP SDP Header
Asterisk Project Security Advisory - AST-2013-001 Product Asterisk Summary Buffer Overflow Exploit Through SIP SDP Header Nature of Advisory Exploitable Stack Buffer Overflow Susceptibility Remote Unauthenticated Sessions SeverityMajor Exploits Known No Reported On 6 January, 2013 Reported By Ulf Ha:rnhammar Posted On27 March, 2013 Last Updated On March 27, 2013 Advisory ContactJonathan Rose CVE NameCVE-2013-2685 Description The format attribute resource for h264 video performs an unsafe read against a media attribute when parsing the SDP. The vulnerable parameter can be received as strings of an arbitrary length and Asterisk attempts to read them into limited buffer spaces without applying a limit to the number of characters read. If a message is formed improperly, this could lead to an attacker being able to execute arbitrary code remotely. Resolution Attempts to read string data into the buffers noted are now explicitly limited by the size of the buffers. Affected Versions Product Release Series Asterisk Open Source 11.x All Versions Corrected In Product Release Asterisk Open Source11.2.2 Patches SVN URL Revision Http://downloads.asterisk.org/pub/security/AST-2013-001-11.diff Asterisk 11 Links https://issues.asterisk.org/jira/browse/ASTERISK-20901 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2013-001.pdf and http://downloads.digium.com/pub/security/AST-2013-001.html Revision History Date Editor Revisions Made February 11, 2013 Jonathan Rose Initial Draft March 27, 2013 Matt Jordan CVE Added Asterisk Project Security Advisory - AST-2013-001 Copyright (c) 2013 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AST-2012-015: Denial of Service Through Exploitation of Device State Caching
Asterisk Project Security Advisory - AST-2012-015 ProductAsterisk SummaryDenial of Service Through Exploitation of Device State Caching Nature of Advisory Denial of Service SusceptibilityRemote Unauthenticated Sessions Severity Critical Exploits KnownNone Reported On 26 July, 2012 Reported By Russell Bryant Posted On 2 January, 2013 Last Updated OnJanuary 2, 2013 Advisory Contact Matt Jordan CVE Name CVE-2012-5977 Description Asterisk maintains an internal cache for devices. The device state cache holds the state of each device known to Asterisk, such that consumers of device state information can query for the last known state for a particular device, even if it is not part of an active call. The concept of a device in Asterisk can include things that do not have a physical representation. One way that this currently occurs is when anonymous calls are allowed in Asterisk. A device is automatically created and stored in the cache for each anonymous call that occurs; this is possible in the SIP and IAX2 channel drivers and through channel drivers that utilize the res_jabber/res_xmpp resource modules (Gtalk, Jingle, and Motif). Attackers exploiting this vulnerability can attack an Asterisk system configured to allow anonymous calls by varying the source of the anonymous call, continually adding devices to the device state cache and consuming a system's resources. Resolution Channels that are not associated with a physical device are no longer stored in the device state cache. This affects Local, DAHDI, SIP and IAX2 channels, and any channel drivers built on the res_jabber/res_xmpp resource modules (Gtalk, Jingle, and Motif). Affected Versions Product Release Series Asterisk Open Source 1.8.xAll Versions Asterisk Open Source 10.x All Versions Asterisk Open Source 11.x All Versions Certified Asterisk 1.8.11All Versions Asterisk Digiumphones 10.x-digiumphones All Versions Corrected In Product Release Asterisk Open Source 1.8.19.1, 10.11.1, 11.1.1 Certified Asterisk 1.8.11-cert10 Asterisk Digiumphones10.11.1-digiumphones Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-015-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2012-015-10.diff Asterisk 10 http://downloads.asterisk.org/pub/security/AST-2012-015-11.diff Asterisk 11 Links https://issues.asterisk.org/jira/browse/ASTERISK-20175 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-015.pdf and http://downloads.digium.com/pub/security/AST-2012-015.html Revision History Date
[Full-disclosure] AST-2012-014: Crashes due to large stack allocations when using TCP
Asterisk Project Security Advisory - AST-2012-014 ProductAsterisk SummaryCrashes due to large stack allocations when using TCP Nature of Advisory Stack Overflow SusceptibilityRemote Unauthenticated Sessions (SIP) Remote Authenticated Sessions (XMPP, HTTP) Severity Critical Exploits KnownNo Reported On 7 November, 2012 Reported By Walter Doekes Posted On 2 January, 2013 Last Updated OnJanuary 2, 2013 Advisory Contact Mark Michelson CVE Name CVE-2012-5976 Description Asterisk has several places where messages received over various network transports may be copied in a single stack allocation. In the case of TCP, since multiple packets in a stream may be concatenated together, this can lead to large allocations that overflow the stack. In the case of SIP, it is possible to do this before a session is established. Keep in mind that SIP over UDP is not affected by this vulnerability. With HTTP and XMPP, a session must first be established before the vulnerability may be exploited. The XMPP vulnerability exists both in the res_jabber.so module in Asterisk 1.8, 10, and 11 as well as the res_xmpp.so module in Asterisk 11. Resolution Stack allocations when using TCP have either been eliminated in favor of heap allocations or have had an upper bound placed on them to ensure that the stack will not overflow. For SIP, the allocation now has an upper limit. For HTTP, the allocation is now a heap allocation instead of a stack allocation. For XMPP, the allocation has been eliminated since it was unnecessary. Affected Versions Product Release Series Asterisk Open Source 1.8.xAll versions Asterisk Open Source 10.x All versions Asterisk Open Source 11.x All versions Certified Asterisk 1.8.11SIP: unaffected HTTP and XMPP: All versions Asterisk Digiumphones 10.x-digiumphones All versions Corrected In Product Release Asterisk Open Source 1.8.19.1, 10.11.1, 11.1.1 Certified Asterisk 1.8.11-cert10 Asterisk Digiumphones10.11.1-digiumphones Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-014-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2012-014-10.diff Asterisk 10 http://downloads.asterisk.org/pub/security/AST-2012-014-11.diff Asterisk 11 Links https://issues.asterisk.org/jira/browse/ASTERISK-20658
[Full-disclosure] AST-2012-013: ACL rules ignored when placing outbound calls by certain IAX2 users
Asterisk Project Security Advisory - AST-2012-013 ProductAsterisk SummaryACL rules ignored when placing outbound calls by certain IAX2 users Nature of Advisory Unauthorized use of system SusceptibilityRemote Authenticated Sessions Severity Moderate Exploits KnownNone Reported On 07/27/2012 Reported By Alan Frisch Posted On 08/30/2012 Last Updated OnAugust 30, 2012 Advisory Contact Matt Jordan < mjordan AT digium DOT com > CVE Name CVE-2012-4737 Description When an IAX2 call is made using the credentials of a peer defined in a dynamic Asterisk Realtime Architecture (ARA) backend, the ACL rules for that peer are not applied to the call attempt. This allows for a remote attacker who is aware of a peer's credentials to bypass the ACL rules set for that peer. Resolution The ACL rules for peers defined in an ARA backend are now honored. Users of chan_iax2 should upgrade to the corrected versions; apply a provided patch; or define their IAX2 peers outside of an ARA backend in a static configuration file. Affected Versions ProductRelease Series Asterisk Open Source 1.8.x All versions Asterisk Open Source 10.x All versions Certified Asterisk 1.8.11 All versions Asterisk Digiumphones 10.x.x-digiumphones All versions Asterisk Business EditionC.3.x All versions Corrected In Product Release Asterisk Open Source 1.8.15.1, 10.7.1 Certified Asterisk 1.8.11-cert7 Asterisk Digiumphones 10.7.1-digiumphones Asterisk Business Edition C.3.7.6 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-013.1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2012-013.10.diff Asterisk 10 Links https://issues.asterisk.org/jira/browse/ASTERISK-20186 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-013.pdf and http://downloads.digium.com/pub/security/AST-2012-013.html Revision History Date Editor Revisions Made 08/27/2012 Matt Jordan Initial Revision Asterisk Project Security Advisory - AST-2012-013 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AST-2012-012: Asterisk Manager User Unauthorized Shell Access
Asterisk Project Security Advisory - AST-2012-012 Product Asterisk Summary Asterisk Manager User Unauthorized Shell Access Nature of Advisory Permission Escalation Susceptibility Remote Authenticated Sessions SeverityMinor Exploits Known No Reported On July 13, 2012 Reported By Zubair Ashraf of IBM X-Force Research Posted OnAugust 30, 2012 Last Updated On August 30, 2012 Advisory ContactMatt Jordan < mjordan AT digium DOT com > CVE NameCVE-2012-2186 Description The AMI Originate action can allow a remote user to specify information that can be used to execute shell commands on the system hosting Asterisk. This can result in an unwanted escalation of permissions, as the Originate action, which requires the "originate" class authorization, can be used to perform actions that would typically require the "system" class authorization. Previous attempts to prevent this permission escalation (AST-2011-006, AST-2012-004) have sought to do so by inspecting the names of applications and functions passed in with the Originate action and, if those applications/functions matched a predefined set of values, rejecting the command if the user lacked the "system" class authorization. As reported by IBM X-Force Research, the "ExternalIVR" application is not listed in the predefined set of values. The solution for this particular vulnerability is to include the "ExternalIVR" application in the set of defined applications/functions that require "system" class authorization. Unfortunately, the approach of inspecting fields in the Originate action against known applications/functions has a significant flaw. The predefined set of values can be bypassed by creative use of the Originate action or by certain dialplan configurations, which is beyond the ability of Asterisk to analyze at run-time. Attempting to work around these scenarios would result in severely restricting the applications or functions and prevent their usage for legitimate means. As such, any additional security vulnerabilities, where an application/function that would normally require the "system" class authorization can be executed by users with the "originate" class authorization, will not be addressed. Instead, the README-SERIOUSLY.bestpractices.txt file has been updated to reflect that the AMI Originate action can result in commands requiring the "system" class authorization to be executed. Proper system configuration can limit the impact of such scenarios. The next release of each version of Asterisk will contain, in addition to the fix for the "ExternalIVR" application, an updated README-SERIOUSLY.bestpractices.txt file. Resolution Asterisk now checks for the "ExternalIVR" application when processing the Originate action. Additionally, the README-SERIOUSLY.bestpractices.txt file has been updated. It is highly recommended that, if AMI is utilized with accounts that have the "originate" class authorization, Asterisk is run under a defined user that does not have root permissions. Accounts with the "originate" class
[Full-disclosure] AST-2012-011: Remote crash vulnerability in voice mail application
Asterisk Project Security Advisory - AST-2012-011 ProductAsterisk SummaryRemote crash vulnerability in voice mail application Nature of Advisory Denial of Service SusceptibilityRemote authenticated sessions Severity Moderate Exploits KnownNo Reported On June 13, 2012 Reported By Nicolas Bouliane - Avencall Security Labs Posted On June 27, 2012 Last Updated OnJuly 5, 2012 Advisory Contact Kinsey Moore CVE Name CVE-2012-3812 Description If a single voicemail account is manipulated by two parties simultaneously, a condition can occur where memory is freed twice causing a crash. Resolution Management of the memory in question has been reworked so that double frees and out of bounds array access do not occur. Upgrade to the latest release. Affected Versions Product Release Series Asterisk Open Source 1.8.x 1.8.11 and newer Asterisk Open Source 10.x 10.3 and newer Certified Asterisk 1.8.11-certx All versions Asterisk Digiumphones 10.x.x-digiumphones All versions Corrected In Product Release Asterisk Open Source 1.8.13.1, 10.5.2 Certified Asterisk 1.8.11-cert4 Asterisk Digiumphones 10.5.2-digiumphones Patches URL Revision http://downloads.asterisk.org/pub/security/AST-2012-011-1.8.diff Asterisk 1.8, Certified Asterisk http://downloads.asterisk.org/pub/security/AST-2012-011-10.diff Asterisk 10, Asterisk Digiumphones Links https://issues.asterisk.org/jira/browse/ASTERISK-20052 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-011.pdf and http://downloads.digium.com/pub/security/AST-2012-011.html Revision History Date Editor Revisions Made 06/27/2012 Kinsey Moore Initial Release Asterisk Project Security Advisory - AST-2012-011 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AST-2012-010: Possible resource leak on uncompleted re-invite transactions
Asterisk Project Security Advisory - AST-2012-010 ProductAsterisk SummaryPossible resource leak on uncompleted re-invite transactions Nature of Advisory Denial of Service SusceptibilityRemote authenticated sessions Severity Minor Exploits KnownNo Reported On June 13, 2012 Reported By Steve Davies Posted On July 5, 2012 Last Updated OnJuly 5, 2012 Advisory Contact Terry Wilson CVE Name TBD Description If Asterisk sends a re-invite and an endpoint responds to the re-invite with a provisional response but never sends a final response, then the SIP dialog structure is never freed and the RTP ports for the call are never released. If an attacker has the ability to place a call, they could create a denial of service by using all available RTP ports. Resolution A re-invite that receives a provisional response without a final response is detected and properly cleaned up at hangup. Affected Versions ProductRelease Series Asterisk Open Source 1.8.x All versions Asterisk Open Source 10.x All versions Asterisk Business EditionC.3.x All versions Certified Asterisk1.8.11-certx All versions Asterisk Digiumphones 10.x.x-digiumphones All versions Corrected In Product Release Asterisk Open Source 1.8.13.1, 10.5.2 Asterisk Business Edition C.3.7.5 Certified Asterisk 1.8.11-cert4 Asterisk Digiumphones 10.5.2-digiumphones Patches URLRevision http://downloads.asterisk.org/pub/security/AST-2012-010-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2012-010-10.diff Asterisk 10 Links https://issues.asterisk.org/jira/browse/ASTERISK-19992 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-010.pdf and http://downloads.digium.com/pub/security/AST-2012-010.html Revision History Date Editor Revisions Made 06/27/2012 Terry Wilson Initial Release Asterisk Project Security Advisory - AST-2012-010 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AST-2012-009: Skinny Channel Driver Remote Crash Vulnerability
Asterisk Project Security Advisory - AST-2012-009 Product Asterisk Summary Skinny Channel Driver Remote Crash Vulnerability Nature of Advisory Denial of Service Susceptibility Remote authenticated sessions SeverityMinor Exploits Known No Reported On May 30, 2012 Reported By Christoph Hebeisen, TELUS Security Labs Posted OnJune 14, 2012 Last Updated On June 14, 2012 Advisory ContactMatt Jordan < mjordan AT digium DOT com > CVE NameCVE-2012-3553 Description AST-2012-008 previously dealt with a denial of service attack exploitable in the Skinny channel driver that occurred when certain messages are sent after a previously registered station sends an Off Hook message. Unresolved in that patch is an issue in the Asterisk 10 releases, wherein, if a Station Key Pad Button Message is processed after an Off Hook message, the channel driver will inappropriately dereference a Null pointer. Similar to AST-2012-008, a remote attacker with a valid SCCP ID can can use this vulnerability by closing a connection to the Asterisk server when a station is in the "Off Hook" call state and crash the server. Resolution The presence of a device for a line is now checked in the appropriate channel callbacks, preventing the crash. Affected Versions Product Release Series Asterisk Open Source 10.x All Versions Corrected In Product Release Asterisk Open Source10.5.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-009-10.diff v10 Links https://issues.asterisk.org/jira/browse/ASTERISK-19905 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-009.pdf and http://downloads.digium.com/pub/security/AST-2012-009.html Revision History Date Editor Revisions Made 06/14/2012 Matt Jordan Initial Release Asterisk Project Security Advisory - AST-2012-009 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AST-2012-008: Skinny Channel Driver Remote Crash Vulnerability
Asterisk Project Security Advisory - AST-2012-008 Product Asterisk Summary Skinny Channel Driver Remote Crash Vulnerability Nature of Advisory Denial of Service Susceptibility Remote authenticated sessions SeverityMinor Exploits Known No Reported On May 22, 2012 Reported By Christoph Hebeisen Posted OnMay 29, 2012 Last Updated On May 29, 2012 Advisory ContactMatt Jordan < mjordan AT digium DOT com > CVE NameCVE-2012-2948 Description As reported by Telus Labs: "A Null-pointer dereference has been identified in the SCCP (Skinny) channel driver of Asterisk. When an SCCP client closes its connection to the server, a pointer in a structure is set to Null. If the client was not in the on-hook state at the time the connection was closed, this pointer is later dereferenced. A remote attacker with a valid SCCP ID can can use this vulnerability by closing a connection to the Asterisk server in certain call states (e.g. "Off hook") to crash the server. Successful exploitation of this vulnerability would result in termination of the server, causing denial of service to legitimate users." Resolution The pointer to the device in the structure is now checked before it is dereferenced in the channel event callbacks and message handling functions. Affected Versions Product Release Series Asterisk Open Source1.8.x All Versions Asterisk Open Source 10.x All Versions Certified Asterisk 1.8.11-cert1.8.11-cert1 Corrected In Product Release Asterisk Open Source 1.8.12.1, 10.4.1 Certified Asterisk 1.8.11-cert2 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-008-1.8.diff v1.8 http://downloads.asterisk.org/pub/security/AST-2012-008-10.diff v10 http://downloads.asterisk.org/pub/security/AST-2012-008-1.8.11-cert.diff v1.8.11-cert Links https://issues.asterisk.org/jira/browse/ASTERISK-19905 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-008.pdf and http://downloads.digium.com/pub/security/AST-2012-008.html Revision History Date Editor Revisions Made 05/25/2012 Matt Jordan Initial Release Asterisk Project Security Advisory - AST-2012-008 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AST-2012-007: Remote crash vulnerability in IAX2 channel driver.
Asterisk Project Security Advisory - AST-2012-007 ProductAsterisk SummaryRemote crash vulnerability in IAX2 channel driver. Nature of Advisory Remote crash Susceptibility Established calls SeverityModerate Exploits Known No Reported On March 21, 2012 Reported By mgrobecker Posted On May 29, 2012 Last Updated OnMay 29, 2012 Advisory ContactRichard Mudgett < rmudgett AT digium DOT com > CVE NameCVE-2012-2947 Description A remotely exploitable crash vulnerability exists in the IAX2 channel driver if an established call is placed on hold without a suggested music class. For this to occur, the following must take place: 1. The setting mohinterpret=passthrough must be set on the end placing the call on hold. 2. A call must be established. 3. The call is placed on hold without a suggested music-on-hold class name. When these conditions are true, Asterisk will attempt to use an invalid pointer to a music-on-hold class name. Use of the invalid pointer will either cause a crash or the music-on-hold class name will be garbage. Resolution Asterisk now sets the extra data parameter to null if the received control frame does not have any extra data. Affected Versions Product Release Series Certified Asterisk 1.8.11-certAll versions Asterisk Open Source1.8.x All versions Asterisk Open Source 10.x All versions Corrected In Product Release Certified Asterisk 1.8.11-cert2 Asterisk Open Source 1.8.12.1, 10.4.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-007-1.8.11-cert.diff v1.8.11-cert http://downloads.asterisk.org/pub/security/AST-2012-007-1.8.diff v1.8 http://downloads.asterisk.org/pub/security/AST-2012-007-10.diff v10 Links https://issues.asterisk.org/jira/browse/ASTERISK-19597 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-007.pdf and http://downloads.digium.com/pub/security/AST-2012-007.html Revision History Date Editor Revisions Made 05/29/2012 Richard Mudgett Initial release. Asterisk Project Security Advisory - AST-2012-007 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AST-2012-006: Remote Crash Vulnerability in SIP Channel Driver
Asterisk Project Security Advisory - AST-2012-006 Product Asterisk Summary Remote Crash Vulnerability in SIP Channel Driver Nature of Advisory Remote Crash Susceptibility Remote Authenticated Sessions SeverityModerate Exploits Known No Reported On April 16, 2012 Reported By Thomas Arimont Posted OnApril 23, 2012 Last Updated On April 23, 2012 Advisory ContactMatt Jordan < mjordan AT digium DOT com > CVE Name Description A remotely exploitable crash vulnerability exists in the SIP channel driver if a SIP UPDATE request is processed within a particular window of time. For this to occur, the following must take place: 1. The setting 'trustrpid' must be set to True 2. An UPDATE request must be received after a call has been terminated and the associated channel object has been destroyed, but before the SIP dialog associated with the call has been destroyed. Receiving the UPDATE request before the call is terminated or after the SIP dialog associated with the call will not cause the crash vulnerability described here. 3. The UPDATE request must be formatted with the appropriate headers to reflect an Asterisk connected line update. The information in the headers must reflect a different Caller ID then what was previously associated with the dialog. When these conditions are true, Asterisk will attempt to perform a connected line update with no associated channel, and will crash. Resolution Asterisk now ensures a channel exists before performing a connected line update, when that connected line update is initiated via a SIP UPDATE request. In Asterisk versions not containing the fix for this issue, setting the 'trustrpid' setting to False will prevent this crash from occurring (default is False) Affected Versions Product Release Series Asterisk Open Source 1.8.x All versions Asterisk Open Source 10.x All versions Asterisk Business Edition C.3.x All versions Corrected In Product Release Asterisk Open Source 1.8.11.1, 10.3.1 Asterisk Business Edition C.3.7.4 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-006-1.8.diff v1.8 http://downloads.asterisk.org/pub/security/AST-2012-006-10.diff v.10 Links https://issues.asterisk.org/jira/browse/ASTERISK-19770 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-006.pdf and http://downloads.digium.com/pub/security/AST-2012-006.html
[Full-disclosure] AST-2012-005: Heap Buffer Overflow in Skinny Channel Driver
Asterisk Project Security Advisory - AST-2012-005 Product Asterisk Summary Heap Buffer Overflow in Skinny Channel Driver Nature of Advisory Exploitable Heap Buffer Overflow Susceptibility Remote Authenticated Sessions SeverityMinor Exploits Known No Reported On March 26, 2012 Reported By Russell Bryant Posted OnApril 23, 2012 Last Updated On April 23, 2012 Advisory ContactMatt Jordan < mjordan AT digium DOT com > CVE Name Description In the Skinny channel driver, KEYPAD_BUTTON_MESSAGE events are queued for processing in a buffer allocated on the heap, where each DTMF value that is received is placed on the end of the buffer. Since the length of the buffer is never checked, an attacker could send sufficient KEYPAD_BUTTON_MESSAGE events such that the buffer is overrun. Resolution The length of the buffer is now checked before appending a value to the end of the buffer. Affected Versions Product Release Series Asterisk Open Source 1.6.2.x All Versions Asterisk Open Source1.8.x All Versions Asterisk Open Source 10.x All Versions Corrected In Product Release Asterisk Open Source 1.6.2.24, 1.8.11.1, 10.3.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-005-1.6.2.diff v1.6.2 http://downloads.asterisk.org/pub/security/AST-2012-005-1.8.diff v1.8 http://downloads.asterisk.org/pub/security/AST-2012-005-10.diffv10 Links https://issues.asterisk.org/jira/browse/ASTERISK-19592 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-005.pdf and http://downloads.digium.com/pub/security/AST-2012-005.html Revision History Date Editor Revisions Made 04/16/2012 Matt Jordan Initial Release Asterisk Project Security Advisory - AST-2012-005 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AST-2012-004: Asterisk Manager User Unauthorized Shell Access
Asterisk Project Security Advisory - AST-2012-004 Product Asterisk Summary Asterisk Manager User Unauthorized Shell Access Nature of Advisory Permission Escalation Susceptibility Remote Authenticated Sessions SeverityMinor Exploits Known No Reported On February 23, 2011 Reported By David Woolley Posted OnApril 23, 2012 Last Updated On April 23, 2012 Advisory ContactJonathan Rose < jrose AT digium DOT com > CVE Name Description A user of the Asterisk Manager Interface can bypass a security check and execute shell commands when they lack permission to do so. Under normal conditions, a user should only be able to run shell commands if that user has System class authorization. Users could bypass this restriction by using the MixMonitor application with the originate action or by using either the GetVar or Status manager actions in combination with the SHELL and EVAL functions. The patch adds checks in each affected action to verify if a user has System class authorization. If the user does not have those authorizations, Asterisk rejects the action if it detects the use of any functions or applications that run system commands. Resolution Asterisk now performs checks against manager commands that cause these behaviors for each of the affected actions. Affected Versions Product Release Series Asterisk Open Source1.6.2.x All versions Asterisk Open Source 1.8.x All versions Asterisk Open Source 10.x All versions Asterisk Business Edition C.3.x All versions Corrected In Product Release Asterisk Open Source 1.6.2.24, 1.8.11.1, 10.3.1 Asterisk Business Edition C.3.7.4 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-004-1.6.2.diff v1.6.2 http://downloads.asterisk.org/pub/security/AST-2012-004-1.8.diff v1.8 http://downloads.asterisk.org/pub/security/AST-2012-004-10.diffv10 Links https://issues.asterisk.org/jira/browse/ASTERISK-17465 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-004.pdf and http://downloads.digium.com/pub/security/AST-2012-004.html Revision History Date Editor Revisions Made 04/23/2012 Jonathan Rose Initial Release Asterisk Project Security Advisory - AST-2012-004 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AST-2012-003: Stack Buffer Overflow in HTTP Manager
Asterisk Project Security Advisory - AST-2012-003 Product Asterisk Summary Stack Buffer Overflow in HTTP Manager Nature of Advisory Exploitable Stack Buffer Overflow Susceptibility Remote Unauthenticated Sessions SeverityCritical Exploits Known No Reported On 03/15/2012 Reported By Russell Bryant Posted On03/15/2012 Last Updated On March 15, 2012 Advisory ContactMatt Jordan < mjordan AT digium DOT com > CVE Name Description An attacker attempting to connect to an HTTP session of the Asterisk Manager Interface can send an arbitrarily long string value for HTTP Digest Authentication. This causes a stack buffer overflow, with the possibility of remote code injection. Resolution Upgrade to one of the versions of Asterisk listed in the "Corrected In" section, or apply a patch specified in the "Patches" section. Affected Versions Product Release Series Asterisk Open Source1.8.x All versions Asterisk Open Source 10.x All versions Corrected In Product Release Asterisk Open Source 1.8.10.1 Asterisk Open Source10.2.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-003-1.8.diff v1.8 http://downloads.asterisk.org/pub/security/AST-2012-003-10.diff v10 Links https://issues.asterisk.org/jira/browse/ASTERISK-19542 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/.pdf and http://downloads.digium.com/pub/security/.html Revision History Date Editor Revisions Made 03-15-2012 Matt Jordan Initial release Asterisk Project Security Advisory - AST-2012-003 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AST-2012-002: Remote Crash Vulnerability in Milliwatt Application
Asterisk Project Security Advisory - AST-2012-002 ProductAsterisk SummaryRemote Crash Vulnerability in Milliwatt Application Nature of Advisory Exploitable Stack Buffer Overflow with locally defined data SusceptibilityRemote Unauthenticated Sessions Severity Minor Exploits KnownNo Reported On 03/14/2012 Reported By Russell Bryant Posted On 03/15/2012 Last Updated OnMarch 15, 2012 Advisory Contact Matt Jordan CVE Name Description An attacker can cause Asterisk to crash in one of two ways: 1. A dialplan uses the Milliwatt application with 'o' option 2. The internal_timing opion in asterisk.conf is off 3. The attacker sends a large audio packet. The number of samples in the audio packet determines the number of internal data samples that are copied into the buffer. This overruns the buffer, potentially causing a crash. OR 1. A diaplan uses the Milliwatt application with the 'o' option 2. The attacker negotiates a media format with a sampling rate greater than 32kHz. The application will attempt to generate an audio packet using the sample rate of the negotiated format, where the sample rate will require a number of data points greater then the size of the buffer. Again, the the application copies a number of internal data samples into the buffer that are greater then the size of the buffer, potentially causing a crash. Note that the latter attack vector is only possible in Asterisk 10, as it supports codecs with a sample rate greater then 32kHz. Resolution Upgrade to one of the versions of Asterisk listed in the "Corrected In" section, or apply a patch specified in the "Patches" section. Affected Versions Product Release Series Asterisk Open Source1.4.x All Versions Asterisk Open Source 1.6.2.x All Versions Asterisk Open Source1.8.x All Versions Asterisk Open Source 10.x All Versions Corrected In Product Release Asterisk Open Source1.4.44 Asterisk Open Source 1.6.2.23 Asterisk Open Source 1.8.10.1 Asterisk Open Source10.2.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-002-1.4.diff v1.4 http://downloads.asterisk.org/pub/security/AST-2012-002-1.6.2.diff v1.6.2 http://downloads.asterisk.org/pub/security/AST-2012-002-1.8.diff v1.8 http://downloads.asterisk.org/pub/security/AST-2012-002-10.diffv10 Links https://issues.asterisk.org/jira/browse/ASTERISK-19541 Asterisk Project Security Advisories
AST-2011-014: Remote crash possibility with SIP and the “automon” feature enabled
Asterisk Project Security Advisory - AST-2011-014 ProductAsterisk SummaryRemote crash possibility with SIP and the "automon" feature enabled Nature of Advisory Remote crash vulnerability in a feature that is disabled by default SusceptibilityRemote unauthenticated sessions Severity Moderate Exploits KnownYes Reported On November 2, 2011 Reported By Kristijan Vrban Posted On 2011-11-03 Last Updated OnDecember 7, 2011 Advisory Contact Terry Wilson CVE Name Description When the "automon" feature is enabled in features.conf, it is possible to send a sequence of SIP requests that cause Asterisk to dereference a NULL pointer and crash. Resolution Applying the referenced patches that check that the pointer is not NULL before accessing it will resolve the issue. The "automon" feature can be disabled in features.conf as a workaround. Affected Versions Product Release Series Asterisk Open Source 1.6.2.x All versions Asterisk Open Source1.8.x All versions Corrected In Product Release Asterisk Open Source 1.6.2.21, 1.8.7.2 Patches Download URLRevision http://downloads.asterisk.org/pub/security/AST-2011-014-1.6.2.diff 1.6.2.20 http://downloads.asterisk.org/pub/security/AST-2011-014-1.8.diff 1.8.7.1 Links Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2011-014.pdf and http://downloads.digium.com/pub/security/AST-2011-014.html Revision History Date Editor Revisions Made Asterisk Project Security Advisory - AST-2011-014 Copyright (c) 2011 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AST-2011-013: Possible remote enumeration of SIP endpoints with differing NAT settings
Asterisk Project Security Advisory - AST-2011-013 ProductAsterisk SummaryPossible remote enumeration of SIP endpoints with differing NAT settings Nature of Advisory Unauthorized data disclosure SusceptibilityRemote unauthenticated sessions Severity Minor Exploits KnownYes Reported On 2011-07-18 Reported By Ben Williams Posted On Last Updated OnDecember 7, 2011 Advisory Contact Terry Wilson CVE Name Description It is possible to enumerate SIP usernames when the general and user/peer NAT settings differ in whether to respond to the port a request is sent from or the port listed for responses in the Via header. In 1.4 and 1.6.2, this would mean if one setting was nat=yes or nat=route and the other was either nat=no or nat=never. In 1.8 and 10, this would mean when one was nat=force_rport or nat=yes and the other was nat=no or nat=comedia. Resolution Handling NAT for SIP over UDP requires the differing behavior introduced by these options. To lessen the frequency of unintended username disclosure, the default NAT setting was changed to always respond to the port from which we received the request-the most commonly used option. Warnings were added on startup to inform administrators of the risks of having a SIP peer configured with a different setting than that of the general setting. The documentation now strongly suggests that peers are no longer configured for NAT individually, but through the global setting in the "general" context. Affected Versions Product Release Series Asterisk Open Source AllAll versions Corrected In As this is more of an issue with SIP over UDP in general, there is no fix supplied other than documentation on how to avoid the problem. The default NAT setting has been changed to what we believe the most commonly used setting for the respective version in Asterisk 1.4.43, 1.6.2.21, and 1.8.7.2. Links Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2011-013.pdf and http://downloads.digium.com/pub/security/AST-2011-013.html Revision History Date Editor Revisions Made Asterisk Project Security Advisory - AST-2011-013 Copyright (c) 2011 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AST-2011-012: Remote crash vulnerability in SIP channel driver
Asterisk Project Security Advisory - AST-2011-012 Product Asterisk Summary Remote crash vulnerability in SIP channel driver Nature of Advisory Remote crash Susceptibility Remote authenticated sessions SeverityCritical Exploits Known No Reported On October 4, 2011 Reported By Ehsan Foroughi Posted OnOctober 17, 2011 Last Updated On October 17, 2011 Advisory ContactTerry Wilson CVE NameCVE-2011-4063 Description A remote authenticated user can cause a crash with a malformed request due to an unitialized variable. Resolution Ensure variables are initialized in all cases when parsing the request. Affected Versions Product Release Series Asterisk Open Source 1.8.x All versions Asterisk Open Source10.x All versions (currently in beta) Corrected In Product Release Asterisk Open Source 1.8.7.1, 10.0.0-rc1 Patches Download URL Revision http://downloads.asterisk.org/pub/security/AST-2011-012-1.8.diff 1.8 http://downloads.asterisk.org/pub/security/AST-2011-012-10.diff 10 Links Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2011-012.pdf and http://downloads.digium.com/pub/security/AST-2011-012.html Revision History Date Editor Revisions Made Asterisk Project Security Advisory - AST-2011-012 Copyright (c) 2011 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AST-2011-011: Possible enumeration of SIP users due to differing authentication responses
Asterisk Project Security Advisory - AST-2011-011 ++ | Product | Asterisk | |+---| | Summary | Possible enumeration of SIP users due to | || differing authentication responses| |+---| | Nature of Advisory | Unauthorized data disclosure | |+---| | Susceptibility | Remote unauthenticated sessions | |+---| | Severity | Moderate | |+---| | Exploits Known | No| |+---| |Reported On | June 11, 2011 | |+---| |Reported By | | |+---| | Posted On | June 28, 2011 | |+---| | Last Updated On | June 28, 2011 | |+---| | Advisory Contact | Terry Wilson | |+---| | CVE Name | CVE-2011-2536 | ++ ++ | Description | Asterisk may respond differently to SIP requests from an | | | invalid SIP user than it does to a user configured on| | | the system, even when the alwaysauthreject option is set | | | in the configuration. This can leak information about| | | what SIP users are valid on the Asterisk system. | ++ ++ | Resolution | Respond to SIP requests from invalid and valid SIP users | || in the same way. Asterisk 1.4 and 1.6.2 do not respond| || identically by default due to backward-compatibility | || reasons, and must have alwaysauthreject=yes set in| || sip.conf. Asterisk 1.8 defaults to alwaysauthreject=yes. | || | || IT IS ABSOLUTELY IMPERATIVE that users of Asterisk 1.4| || and 1.6.2 set alwaysauthreject=yes in the general section | || of sip.conf. | ++ ++ | Affected Versions| || | Product | Release Series || |--++| | Asterisk Open Source | 1.4.x | All versions | |--++| | Asterisk Open Source |1.6.2.x | All versions | |--++| | Asterisk Open Source | 1.8.x | All versions | |--++| |Asterisk Business Edition | C.3.x | All versions | ++ ++ | Corrected In | || | Product | Release | |--+-| | Asterisk Open Source |1.4.41.2, 1.6.2.18.2, 1.8.4.4| |---
[Full-disclosure] AST-2011-006: Asterisk Manager User Shell Access
Asterisk Project Security Advisory - AST-2011-006 ProductAsterisk SummaryAsterisk Manager User Shell Access Nature of Advisory Permission Escalation SusceptibilityRemote Authenticated Sessions Severity Minor Exploits KnownYes Reported On February 10, 2011 Reported By Mark Murawski Posted On April 21, 2011 Last Updated OnApril 21, 2011 Advisory Contact Matthew Nicholson CVE Name Description It is possible for a user of the Asterisk Manager Interface to bypass a security check and execute shell commands when they should not have that ability. Sending the "Async" header with the "Application" header during an Originate action, allows authenticated manager users to execute shell commands. Only users with the "system" privilege should be able to do this. Resolution Asterisk now performs the proper access check where appropriate during the originate manager action. Affected Versions Product Release Series Asterisk Open Source1.4.x All versions Asterisk Open Source 1.6.1.x All versions Asterisk Open Source 1.6.2.x All versions Asterisk Open Source1.8.x All versions Asterisk Business Edition C.x.x All versions Corrected In Product Release Asterisk Open Source1.4.40.1, 1.6.1.25, 1.6.2.17.3, 1.8.3.3 Asterisk Business Edition C.3.6.4 Patches URL Branch http://downloads.asterisk.org/pub/security/AST-2011-006-1.4.diff1.4 http://downloads.asterisk.org/pub/security/AST-2011-006-1.6.1.diff 1.6.1 http://downloads.asterisk.org/pub/security/AST-2011-006-1.6.2.diff 1.6.2 http://downloads.asterisk.org/pub/security/AST-2011-006-1.8.diff1.8 Links Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2011-006.pdf and http://downloads.digium.com/pub/security/AST-2011-006.html Revision History Date Editor Revisions Made 4/21/11Matthew NicholsonInitial version Asterisk Project Security Advisory - AST-2011-006 Copyright (c) 2011 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AST-2011-005: File Descriptor Resource Exhaustion
Asterisk Project Security Advisory - AST-2011-005 Product Asterisk Summary File Descriptor Resource Exhaustion Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated TCP Based Sessions (TCP SIP, Skinny, Asterisk Manager Interface, and HTTP sessions) Severity Moderate Exploits Known Yes Reported On March 18, 2011 Reported By Tzafrir Cohen < tzafrir.cohen AT xorcom DOT com > Posted On April 21, 2011 Last Updated On April 21, 2011 Advisory Contact Matthew Nicholson CVE Name CVE-2011-1507 Description On systems that have the Asterisk Manager Interface, Skinny, SIP over TCP, or the built in HTTP server enabled, it is possible for an attacker to open as many connections to asterisk as he wishes. This will cause Asterisk to run out of available file descriptors and stop processing any new calls. Additionally, disk space can be exhausted as Asterisk logs failures to open new file descriptors. Resolution Asterisk can now limit the number of unauthenticated connections to each vulnerable interface and can also limit the time unauthenticated clients will remain connected for some interfaces. This will prevent vulnerable interfaces from using up all available file descriptors. Care should be taken when setting the connection limits so that the combined total of allowed unauthenticated sessions from each service is not more than the file descriptor limit for the Asterisk process. The file descriptor limit can be checked (and set) using the "ulimit -n" command for the process' limit and the "/proc/sys/fs/file-max" file (on Linux) for the system's limit. It will still be possible for an attacker to deny service to each of the vulnerable services individually. To mitigate this risk, vulnerable services should be run behind a firewall that can detect and prevent DoS attacks. In addition to using a firewall to filter traffic, vulnerable systems can be protected by disabling the vulnerable services in their respective configuration files. Affected Versions Product Release Series Asterisk Open Source1.4.x All versions Asterisk Open Source 1.6.1.x All versions Asterisk Open Source 1.6.2.x All versions Asterisk Open Source1.8.x All versions Asterisk Business Edition C.x.x All versions Corrected In Product Release Asterisk Open Source1.4.40.1, 1.6.1.25, 1.6.2.17.3, 1.8.3.3 Asterisk Business Edition C.3.6.4 Patches URL Branch http://downloads.asterisk.org/pub/security/AST-2011-005-1.4.diff1.4 http://downloads.asterisk.org/pub/security/AST-2011-005-1.6.1.diff 1.6.1 http://downloads.asterisk.org/pub/security/AST-2011-005-1.6.2.diff 1.6.2 http://downloads.asterisk.org/pub/security/AST-2011-005-1.8.diff1.8 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2011-005.pdf and http://downloads.digium.com/pub/security/AST-2011-005.html
[Full-disclosure] AST-2011-004:
ProductAsterisk SummaryRemote crash vulnerability in TCP/TLS server Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated Sessions Severity Critical Exploits Known No Reported OnMarch 1, 2011 Reported ByBlake Cornell and Chris Maj Posted On March 16, 2011 Last Updated OnMarch 14, 2011 Advisory Contact Terry Wilson Rapidly opening and closing TCP connections to services using Description the ast_tcptls_* API (primarily chan_sip, manager, and res_phoneprov) can cause Asterisk to crash after dereferencing a NULL pointer. Resolution Failure of the fdopen call is detected and dereferencing the NULL pointer is avoided. Affected Versions Product Release Series Asterisk Open Source 1.6.1.x All versions Asterisk Open Source 1.6.2.x All versions Asterisk Open Source 1.8.x All versions Corrected In Product Release Asterisk Open Source 1.6.1.23, 1.6.2.17.1, 1.8.3.1 Patches URL Branch http://downloads.asterisk.org/pub/security/AST-2011-004-1.6.1.diff 1.6.1 http://downloads.asterisk.org/pub/security/AST-2011-004-1.6.2.diff 1.6.2 http://downloads.asterisk.org/pub/security/AST-2011-004-1.8.diff1.8 Links Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2011-004.pdf and http://downloads.digium.com/pub/security/AST-2011-004.html Revision History Date Editor Revisions Made 2011-03-14 Terry Wilson Initial release ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AST-2011-003:
ProductAsterisk SummaryResource exhaustion in Asterisk Manager Interface Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated Sessions if manager interface is accessible Severity Moderate Exploits Known No Reported OnMarch 1, 2011 Reported ByBlake Cornell Posted On March 16, 2011 Last Updated OnMarch 14, 2011 Advisory Contact Terry Wilson Rapidly opening manager connections, sending invalid data, and Description closing the connection can cause Asterisk to exhaust available CPU and memory resources. The manager interface is disabled by default. Resolution Failed writes to manager clients are flagged and the connection closed. Affected Versions Product Release Series Asterisk Open Source 1.6.1.x All versions Asterisk Open Source 1.6.2.x All versions Asterisk Open Source 1.8.x All versions Corrected In Product Release Asterisk Open Source 1.6.1.23, 1.6.2.17.1, 1.8.3.1 Patches URL Branch http://downloads.asterisk.org/pub/security/AST-2011-003-1.6.1.diff 1.6.1 http://downloads.asterisk.org/pub/security/AST-2011-003-1.6.2.diff 1.6.2 http://downloads.asterisk.org/pub/security/AST-2011-003-1.8.diff1.8 Links Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2011-003.pdf and http://downloads.digium.com/pub/security/AST-2011-003.html Revision History Date Editor Revisions Made 2011-03-14 Terry Wilson Initial release ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AST-2011-002: Multiple array overflow and crash vulnerabilities in UDPTL code
Asterisk Project Security Advisory - AST-2011-002 Product Asterisk Summary Multiple array overflow and crash vulnerabilities in UDPTL code Nature of Advisory Exploitable Stack and Heap Array Overflows Susceptibility Remote Unauthenticated Sessions Severity Critical Exploits Known No Reported On January 27, 2011 Reported By Matthew Nicholson Posted On February 21, 2011 Last Updated On February 21, 2011 Advisory Contact Matthew Nicholson CVE Name Description When decoding UDPTL packets, multiple stack and heap based arrays can be made to overflow by specially crafted packets. Systems doing T.38 pass through or termination are vulnerable. Resolution The UDPTL decoding routines have been modified to respect the limits of exploitable arrays. In asterisk versions not containing the fix for this issue, disabling T.38 support will prevent this vulnerability from being exploited. T.38 support can be disabled in chan_sip by setting the t38pt_udptl option to "no" (it is off by default). t38pt_udptl = no The chan_ooh323 module should also be disabled by adding the following line in modles.conf. noload => chan_ooh323 Affected Versions Product Release Series Asterisk Open Source1.4.x All versions Asterisk Open Source1.6.x All versions Asterisk Business Edition C.x.x All versions AsteriskNOW 1.5 All versions s800i (Asterisk Appliance) 1.2.x All versions Corrected In Product Release Asterisk Open Source1.4.39.2, 1.6.1.22, 1.6.2.16.2, 1.8.2.4 Asterisk Business Edition C.3.6.3 Patches URL Branch http://downloads.asterisk.org/pub/security/AST-2011-002-1.4.diff1.4 http://downloads.asterisk.org/pub/security/AST-2011-002-1.6.1.diff 1.6.1 http://downloads.asterisk.org/pub/security/AST-2011-002-1.6.2.diff 1.6.2 http://downloads.asterisk.org/pub/security/AST-2011-002-1.8.diff1.8 Links Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2011-002.pdf and http://downloads.digium.com/pub/security/AST-2011-002.html Revision History DateEditorRevisions Made 02/21/11Matthew Nicholson Initial Release Asterisk Project Security Advisory - AST-2011-002 Copyright (c) 2011 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AST-2011-001: Stack buffer overflow in SIP channel driver
Asterisk Project Security Advisory - AST-2011-001
ProductAsterisk
SummaryStack buffer overflow in SIP channel driver
Nature of Advisory Exploitable Stack Buffer Overflow
SusceptibilityRemote Authenticated Sessions
Severity Moderate
Exploits KnownNo
Reported On January 11, 2011
Reported By Matthew Nicholson
Posted On January 18, 2011
Last Updated OnJanuary 18, 2011
Advisory Contact Matthew Nicholson
CVE Name
Description When forming an outgoing SIP request while in pedantic mode, a
stack buffer can be made to overflow if supplied with
carefully crafted caller ID information. This vulnerability
also affects the URIENCODE dialplan function and in some
versions of asterisk, the AGI dialplan application as well.
The ast_uri_encode function does not properly respect the size
of its output buffer and can write past the end of it when
encoding URIs.
Resolution The size of the output buffer passed to the ast_uri_encode
function is now properly respected.
In asterisk versions not containing the fix for this issue,
limiting strings originating from remote sources that will be
URI encoded to a length of 40 characters will protect against
this vulnerability.
exten => s,1,Set(CALLERID(num)=${CALLERID(num):0:40})
exten => s,n,Set(CALLERID(name)=${CALLERID(name):0:40})
exten => s,n,Dial(SIP/channel)
The CALLERID(num) and CALLERID(name) channel values, and any
strings passed to the URIENCODE dialplan function should be
limited in this manner.
Affected Versions
Product Release Series
Asterisk Open Source1.2.x All versions
Asterisk Open Source1.4.x All versions
Asterisk Open Source1.6.x All versions
Asterisk Open Source1.8.x All versions
Asterisk Business Edition C.x.x All versions
AsteriskNOW 1.5 All versions
s800i (Asterisk Appliance) 1.2.x All versions
Corrected In
Product Release
Asterisk Open Source 1.4.38.1, 1.4.39.1, 1.6.1.21, 1.6.2.15.1,
1.6.2.16.1, 1.8.1.2, 1.8.2.1
Asterisk Business Edition C.3.6.2
Patches
URL Branch
http://downloads.asterisk.org/pub/security/AST-2011-001-1.4.diff1.4
http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.1.diff 1.6.1
http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.2.diff 1.6.2
http://downloads.asterisk.org/pub/security/AST-2011-001-1.8.diff1.8
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2011-001.pdf and
http://downloads.digium.com/pub/security/AST-2011-001.html
Revision History
Date Editor Revisions Made
2011-01-18Matthew NicholsonInitial Release
[Full-disclosure] AST-2010-003: Invalid parsing of ACL rules can compromise security
Asterisk Project Security Advisory - AST-2010-003 ++ | Product | Asterisk | |+---| | Summary | Invalid parsing of ACL rules can compromise | || security | |+---| | Nature of Advisory | Unauthorized access to system | |+---| | Susceptibility | Remote Unauthenticated Sessions | |+---| | Severity | Moderate | |+---| | Exploits Known | No| |+---| |Reported On | Feb 24, 2010 | |+---| |Reported By | Mark Michelson| |+---| | Posted On | Feb 25, 2010 | |+---| | Last Updated On | February 25, 2010 | |+---| | Advisory Contact | Mark Michelson < mmichelson AT digium DOT com > | |+---| | CVE Name | | ++ ++ | Description | Host access rules using "permit=" and "deny="| | | configurations behave unpredictably if the CIDR notation | | | "/0" is used. Depending on the system's behavior, this | | | may act as desired, but in other cases it might not, | | | thereby allowing access from hosts that should be| | | denied. | | | | | | Note that even if an unauthorized host is allowed access | | | due to this exploit, authentication measures still in| | | place would prevent further unauthorized access. | | | | | | Note also that there is a workaround for this problem, | | | which is to use the dotted-decimal format "/0.0.0.0" | | | instead of CIDR notation. The bug does not exist when| | | using this format. In addition, this format is what is | | | used in Asterisk's sample configuration files. | ++ ++ | Resolution | Code has been corrected to behave consistently on all | || systems when "/0" is used.| ++ ++ | Affected Versions| || | Product | Release | | || Series | | |+-+-| |Asterisk Open Source| 1.2.x | Unaffected | |+-+-| |Asterisk Open Source| 1.4.x | Unaffected | |+-+-| |Asterisk Open Source| 1.6.x | All 1.6.0, 1.6.1 and 1.6.2 | || | releases| |+-+-| | Asterisk Addons | 1.2.x | Unaffected | |+-+-| | Asteri
[Full-disclosure] AST-2010-002: Dialplan injection vulnerability
Asterisk Project Security Advisory - AST-2010-002
++
| Product| Asterisk|
|--+-|
| Summary| Dialplan injection vulnerability|
|--+-|
| Nature of Advisory | Data injection vulnerability|
|--+-|
|Susceptibility| Remote Unauthenticated Sessions |
|--+-|
| Severity | Critical|
|--+-|
|Exploits Known| Yes |
|--+-|
| Reported On | 10/02/10|
|--+-|
| Reported By | Hans Petter Selasky |
|--+-|
| Posted On | 16/02/10|
|--+-|
| Last Updated On| February 18, 2010 |
|--+-|
| Advisory Contact | Leif Madsen < lmadsen AT digium DOT com > |
|--+-|
| CVE Name | |
++
++
| Description | A common usage of the ${EXTEN} channel variable in a |
| | dialplan with wildcard pattern matches can lead to a |
| | possible string injection vulnerability. By having a |
| | wildcard match in a dialplan, it is possible to allow|
| | unintended calls to be executed, such as in this |
| | example: |
| | |
| | exten => _X.,1,Dial(SIP/${EXTEN})|
| | |
| | If you have a channel technology which can accept|
| | characters other than numbers and letters (such as SIP) |
| | it may be possible to craft an INVITE which sends data |
| | such as 300&Zap/g1/4165551212 which would create an |
| | additional outgoing channel leg that was not originally |
| | intentioned by the dialplan programmer. |
| | |
| | Usage of the wildcard character is common in dialplans |
| | that require variable number length, such as European|
| | dial strings.|
| | |
| | Please note that this is not limited to an specific |
| | protocol or the Dial() application. |
| | |
| | The expansion of variables into |
| | programmatically-interpreted strings is a common |
| | behavior in many script or script-like languages,|
| | Asterisk included. The ability for a variable to |
| | directly replace components of a command is a feature, |
| | not a bug - that is the entire point of string |
| | expansion. |
| | |
| | However, it is often the case due to expediency or |
| | design misunderstanding that a developer will not|
| | examine and filter string data from external sources |
| | before passing it into potentially harmful areas of |
| | their dialplan. With the flexibility of the design of|
| | Asterisk come these risks if the dialplan designer is|
| |
[Full-disclosure] AST-2010-001: T.38 Remote Crash Vulnerability
Asterisk Project Security Advisory - AST-2010-001 ++ | Product| Asterisk| |--+-| | Summary| T.38 Remote Crash Vulnerability | |--+-| | Nature of Advisory | Denial of Service | |--+-| |Susceptibility| Remote unauthenticated sessions | |--+-| | Severity | Critical| |--+-| |Exploits Known| No | |--+-| | Reported On | 12/03/09| |--+-| | Reported By | issues.asterisk.org users bklang and elsto | |--+-| | Posted On | 02/03/10| |--+-| | Last Updated On| February 2, 2010| |--+-| | Advisory Contact | David Vossel < dvossel AT digium DOT com > | |--+-| | CVE Name | CVE-2010-0441 | ++ ++ | Description | An attacker attempting to negotiate T.38 over SIP can| | | remotely crash Asterisk by modifying the FaxMaxDatagram | | | field of the SDP to contain either a negative or | | | exceptionally large value. The same crash occurs when| | | the FaxMaxDatagram field is omitted from the SDP as | | | well.| ++ ++ | Resolution | Upgrade to one of the versions of Asterisk listed in the | || "Corrected In" section, or apply a patch specified in the | || "Patches" section.| ++ ++ | Affected Versions| || | Product | Release Series || |--++| | Asterisk Open Source | 1.6.x | All versions | |--++| |Asterisk Business Edition | C.3 | All versions | ++ ++ | Corrected In | || | Product | Release | |--+-| | Asterisk Open Source | 1.6.0.22 | |--+-| | Asterisk Open Source | 1.6.1.14 | |--+-| | Asterisk Open Source | 1.6.2.2 | |--+-| | | C.3.3.2 | ++ +-+ | Patches | |-| |
[Full-disclosure] AST-2009-010: RTP Remote Crash Vulnerability
Asterisk Project Security Advisory - AST-2009-010 ++ | Product| Asterisk| |--+-| | Summary| RTP Remote Crash Vulnerability | |--+-| | Nature of Advisory | Denial of Service | |--+-| |Susceptibility| Remote unauthenticated sessions | |--+-| | Severity | Critical| |--+-| |Exploits Known| No | |--+-| | Reported On | November 13, 2009 | |--+-| | Reported By | issues.asterisk.org user amorsen| |--+-| | Posted On | November 30, 2009 | |--+-| | Last Updated On| November 30, 2009 | |--+-| | Advisory Contact | David Vossel < dvossel AT digium DOT com > | |--+-| | CVE Name | CVE-2009-4055 | ++ ++ | Description | An attacker sending a valid RTP comfort noise payload| | | containing a data length of 24 bytes or greater can | | | remotely crash Asterisk. | ++ ++ | Resolution | Upgrade to one of the versions of Asterisk listed in the | || "Corrected In" section, or apply a patch specified in the | || "Patches" section.| ++ ++ | Affected Versions| || | Product | Release Series || |--++| | Asterisk Open Source | 1.2.x | All versions | |--++| | Asterisk Open Source | 1.4.x | All versions | |--++| | Asterisk Open Source | 1.6.x | All versions | |--++| |Asterisk Business Edition | B.x.x | All versions | |--++| |Asterisk Business Edition | C.x.x | All versions | |--++| |s800i (Asterisk Appliance)| 1.3.x | All versions | ++ ++ | Corrected In | || | Product | Release | |-+--| |Asterisk Open Source | 1.2.37 | |-+--| |Asterisk Open Source | 1.4.27.1 | |-+--| |Asterisk Open Source | 1.6.0.19 | |-+--| |
[Full-disclosure] AST-2009-009: Cross-site AJAX request vulnerability
Asterisk Project Security Advisory - AST-2009-009 ++ | Product| Asterisk| |--+-| | Summary| Cross-site AJAX request vulnerability | |--+-| | Nature of Advisory | Cross-site AJAX request exploitation| |--+-| |Susceptibility| Remote Unauthenticated Sessions | |--+-| | Severity | Minor | |--+-| |Exploits Known| No | |--+-| | Reported On | October 26, 2009| |--+-| | Reported By | issues.asterisk.org user jcollie| |--+-| | Posted On | November 4, 2009| |--+-| | Last Updated On| November 4, 2009| |--+-| | Advisory Contact | Joshua Colp| |--+-| | CVE Name | CVE-2008-7220 | ++ ++ | Description | Asterisk includes a demonstration AJAX based manager | | | interface, ajamdemo.html which uses the prototype.js | | | framework. An issue was uncovered in this framework | | | which could allow someone to execute a cross-site AJAX | | | request exploit. | ++ ++ | Resolution | Upgrade to one of the versions below, or apply one of the | || patches specified in the Patches section. | ++ ++ | Affected Versions| || | Product | Release | | || Series | | |+-+-| |Asterisk Open Source| 1.2.x | Unaffected | |+-+-| |Asterisk Open Source| 1.4.x | All versions prior to 1.4.26.3 | |+-+-| |Asterisk Open Source| 1.6.0.x | All versions prior to 1.6.0.17 | |+-+-| |Asterisk Open Source| 1.6.1.x | All versions prior to 1.6.1.9 | |+-+-| | Asterisk Addons | 1.2.x | Unaffected | |+-+-| | Asterisk Addons | 1.4.x | Unaffected | |+-+-| | Asterisk Addons | 1.6.x | Unaffected | |+-+-| | Asterisk Business Edition | A.x.x | Unaffected | |+-+-| | Asterisk Business Edition | B.x.x | All versions prior to B.2.5.12 | |+-+-| | Asterisk Business Edition | C.x.x | All versions prior to C.2.4.5 | || | and C.3.2.2 | |+-+-| |AsteriskNOW | 1.5
[Full-disclosure] AST-2009-008: SIP responses expose valid usernames
Asterisk Project Security Advisory - AST-2009-008 ++ | Product| Asterisk| |--+-| | Summary| SIP responses expose valid usernames| |--+-| | Nature of Advisory | Information leak| |--+-| |Susceptibility| Remote Unauthenticated Sessions | |--+-| | Severity | Minor | |--+-| |Exploits Known| No | |--+-| | Reported On | October 26, 2009| |--+-| | Reported By | Patrik Karlsson| |--+-| | Posted On | November 4, 2009| |--+-| | Last Updated On| November 4, 2009| |--+-| | Advisory Contact | Joshua Colp| |--+-| | CVE Name | | ++ ++ | Description | It is possible to determine if a peer with a specific| | | name is configured in Asterisk by sending a specially| | | crafted REGISTER message twice. The username that is to | | | be checked is put in the user portion of the URI in the | | | To header. A bogus non-matching value is put into the| | | username portion of the Digest in the Authorization | | | header. If the peer does exist the second REGISTER will | | | receive a response of "403 Authentication user name does | | | not match account name". If the peer does not exist the | | | response will be "404 Not Found" if alwaysauthreject is | | | disabled and "401 Unauthorized" if alwaysauthreject is | | | enabled. | ++ ++ | Resolution | Upgrade to one of the versions below, or apply one of the | || patches specified in the Patches section. | ++ ++ | Affected Versions| || | Product | Release | | || Series | | |+-+-| |Asterisk Open Source| 1.2.x | All versions prior to 1.2.35| |+-+-| |Asterisk Open Source| 1.4.x | All versions prior to 1.4.26.3 | |+-+-| |Asterisk Open Source| 1.6.0.x | All versions prior to 1.6.0.17 | |+-+-| |Asterisk Open Source| 1.6.1.x | All versions prior to 1.6.1.9 | |+-+-| | Asterisk Addons | 1.2.x | Unaffected | |+-+-| | Asterisk Addons | 1.4.x | Unaffected | |+-+-| | Asterisk Addons | 1.6.x | Unaffected | |+-+-| | Asterisk Business Edition | A.x.x | All versions
[Full-disclosure] AST-2009-007: ACL not respected on SIP INVITE
Asterisk Project Security Advisory - AST-2009-007 ++ | Product | Asterisk | |+---| | Summary | ACL not respected on SIP INVITE | |+---| | Nature of Advisory | Unauthorized calls allowed on prohibited networks | |+---| | Susceptibility | Remote unauthorized session | |+---| | Severity | Critical | |+---| | Exploits Known | No| |+---| |Reported On | October 18, 2009 | |+---| |Reported By | Thomas Athineou | |+---| | Posted On | October 26, 2009 | |+---| | Last Updated On | October 26, 2009 | |+---| | Advisory Contact | Jeff Peeler| |+---| | CVE Name | | ++ ++ | Description | A missing ACL check for handling SIP INVITEs allows a| | | device to make calls on networks intended to be | | | prohibited as defined by the "deny" and "permit" lines | | | in sip.conf. The ACL check for handling SIP | | | registrations was not affected. | ++ ++ | Resolution | Users should upgrade to a version listed in the | || "Corrected In" section below. | ++ ++ | Affected Versions| || |Product| Release Series | | |---++---| | Asterisk Open Source | 1.2.x | Unaffected| |---++---| | Asterisk Open Source | 1.4.x | Unaffected| |---++---| | Asterisk Open Source | 1.6.x | All 1.6.1 versions| |---++---| |Asterisk Addons| 1.2.x | Unaffected| |---++---| |Asterisk Addons| 1.4.x | Unaffected| |---++---| |Asterisk Addons| 1.6.x | Unaffected| |---++---| | Asterisk Business Edition | A.x.x | Unaffected| |---++---| | Asterisk Business Edition | B.x.x | Unaffected| |---++---| | Asterisk Business Edition | C.x.x | Unaffected| |---++---| | AsteriskNOW | 1.5 | Unaffected| |---++---| | s800i (Asterisk Appliance) | 1.2.x | Unaffected| ++ +--
[Full-disclosure] AST-2009-006: IAX2 Call Number Resource Exhaustion
Asterisk Project Security Advisory - AST-2009-006 ++ | Product | Asterisk | |+---| | Summary | IAX2 Call Number Resource Exhaustion | |+---| | Nature of Advisory | Denial of Service | |+---| | Susceptibility | Remote unauthenticated sessions | |+---| | Severity | Major | |+---| | Exploits Known | Yes - Published by Blake Cornell < blake AT | || remoteorigin DOT com > on voip0day.com| |+---| |Reported On | June 22, 2008 | |+---| |Reported By | Noam Rathaus < noamr AT beyondsecurity DOT com >, | || with his SSD program, also by Blake Cornell | |+---| | Posted On | September 3, 2009 | |+---| | Last Updated On | September 3, 2009 | |+---| | Advisory Contact | Russell Bryant < russell AT digium DOT com > | |+---| | CVE Name | CVE-2009-2346 | ++ ++ | Description | The IAX2 protocol uses a call number to associate| | | messages with the call that they belong to. However, the | | | protocol defines the call number field in messages as a | | | fixed size 15 bit field. So, if all call numbers are in | | | use, no additional sessions can be handled. | | | | | | A call number gets created at the start of an IAX2 | | | message exchange. So, an attacker can send a large | | | number of messages and consume the call number space.| | | The attack is also possible using spoofed source IP | | | addresses as no handshake is required before a call | | | number is assigned. | ++ ++ | Resolution | Upgrade to a version of Asterisk listed in this document | || as containing the IAX2 protocol security enhancements. In | || addition to upgrading, administrators should consult the | || users guide section of the IAX2 Security document | || (IAX2-security.pdf), as well as the sample configuration | || file for chan_iax2 that have been distributed with those | || releases for assistance with new options that have been | || provided. | ++ ++ | Discussion | A lot of time was spent trying to come up with a way to | || resolve this issue in a way that was completely backwards | || compatible. However, the final resolution ended up| || requiring a modification to the IAX2 protocol. This | || modification is referred to as call token validation. | || Call token validation is used as a handshake before call | || numbers are assigned to IAX2 connections. | || | || Call token validation by itself does not resolve the | || issue. However, it does allow an IAX2 server to validate | || that the source of the messages has not been spoofed. In | |
[Full-disclosure] AST-2009-005: Remote Crash Vulnerability in SIP channel driver
Asterisk Project Security Advisory - AST-2009-005 ++ | Product | Asterisk | |-+--| | Summary | Remote Crash Vulnerability in SIP channel driver | |-+--| | Nature of Advisory | Denial of Service| |-+--| | Susceptibility| Remote Unauthenticated Sessions | |-+--| | Severity | Critical in 1.6.1; minor in lesser versions | |-+--| | Exploits Known| No | |-+--| | Reported On | July 28, 2009| |-+--| | Reported By | Nick Baggott < nbaggott AT mudynamics DOT com > | |-+--| | Posted On | August 10, 2009 | |-+--| | Last Updated On | August 10, 2009 | |-+--| | Advisory Contact | Tilghman Lesher < tlesher AT digium DOT com >| |-+--| | CVE Name | CVE-2009-2726| ++ ++ | Description | On certain implementations of libc, the scanf family of | | | functions uses an unbounded amount of stack memory to| | | repeatedly allocate string buffers prior to conversion | | | to the target type. Coupled with Asterisk's allocation | | | of thread stack sizes that are smaller than the default, | | | an attacker may exhaust stack memory in the SIP stack| | | network thread by presenting excessively long numeric| | | strings in various fields. | | | | | | Note that while this potential vulnerability has existed | | | in Asterisk for a very long time, it is only potentially | | | exploitable in 1.6.1 and above, since those versions are | | | the first that have allowed SIP packets to exceed 1500 | | | bytes total, which does not permit strings that are | | | large enough to crash Asterisk. (The number strings | | | presented to us by the security researcher were | | | approximately 32,000 bytes long.)| | | | | | Additionally note that while this can crash Asterisk,| | | execution of arbitrary code is not possible with this| | | vector. | ++ ++ | Resolution | Upgrade Asterisk to one of the releases listed below. | ++ ++ | Affected Versions| || | Product | Release | | || Series | | |++--| |Asterisk Open Source| 1.2.x| All versions prior to 1.2.34 | |++--| |Asterisk Open Source| 1.4.x| All versions prior to| ||| 1.4.26.1 | |++--| |Asterisk Open Source| 1.6.0.x | All versions prior to| |
[Full-disclosure] AST-2009-004: Remote Crash Vulnerability in RTP stack
Asterisk Project Security Advisory - AST-2009-004 ++ | Product| Asterisk| |--+-| | Summary| Remote Crash Vulnerability in RTP stack | |--+-| | Nature of Advisory | Exploitable Crash | |--+-| |Susceptibility| Remote unauthenticated sessions | |--+-| | Severity | Critical| |--+-| |Exploits Known| No | |--+-| | Reported On | July 27, 2009 | |--+-| | Reported By | Marcus Hunger | |--+-| | Posted On | August 2, 2009 | |--+-| | Last Updated On| August 2, 2009 | |--+-| | Advisory Contact | Mark Michelson| |--+-| | CVE Name | | ++ ++ | Description | An attacker can cause Asterisk to crash remotely by | | | sending malformed RTP text frames. While the attacker| | | can cause Asterisk to crash, he cannot execute arbitrary | | | remote code with this exploit. | ++ ++ | Resolution | Users should upgrade to a version listed in the | || "Corrected In" section below. | ++ ++ | Affected Versions| || |Product| Release Series | | |---++---| | Asterisk Open Source | 1.2.x | Unaffected| |---++---| | Asterisk Open Source | 1.4.x | Unaffected| |---++---| | Asterisk Open Source | 1.6.x | All 1.6.1 versions| |---++---| |Asterisk Addons| 1.2.x | Unaffected| |---++---| |Asterisk Addons| 1.4.x | Unaffected| |---++---| |Asterisk Addons| 1.6.x | Unaffected| |---++---| | Asterisk Business Edition | A.x.x | Unaffected| |---++---| | Asterisk Business Edition | B.x.x | Unaffected| |---++---| | Asterisk Business Edition | C.x.x | Unaffected| |---++---| | AsteriskNOW | 1.5 | Unaffected| |---++---| | s800i (Asterisk Appliance) | 1.2.x | Unaffected| ++ ++ | Corrected In
[Full-disclosure] AST-2009-003: SIP responses expose valid usernames
Asterisk Project Security Advisory - AST-2009-003 ++ | Product | Asterisk | |+---| | Summary | SIP responses expose valid usernames | |+---| | Nature of Advisory | Information leak | |+---| | Susceptibility | Remote Unauthenticated Sessions | |+---| | Severity | Minor | |+---| | Exploits Known | No| |+---| |Reported On | February 23, 2009 | |+---| |Reported By | Gentoo Linux Project: Kerin Millar ( kerframil on | || irc.freenode.net ) and Fergal Glynn < FGlynn AT | || veracode DOT com >| |+---| | Posted On | April 2, 2009 | |+---| | Last Updated On | April 2, 2009 | |+---| | Advisory Contact | Tilghman Lesher < tlesher AT digium DOT com > | |+---| | CVE Name | CVE-2008-3903 | ++ ++ | Description | In 2006, the Asterisk maintainers made it more difficult | | | to scan for valid SIP usernames by implementing an | | | option called "alwaysauthreject", which should return a | | | 401 error on all replies which are generated for users | | | which do not exist. While this was sufficient at the | | | time, due to ever increasing compliance with RFC 3261, | | | the SIP specification, that is no longer sufficient as a | | | means towards preventing attackers from checking | | | responses to verify whether a SIP account exists on a| | | machine. | | | | | | What we have done is to carefully emulate exactly the| | | same responses throughout possible dialogs, which should | | | prevent attackers from gleaning this information. All| | | invalid users, if this option is turned on, will receive | | | the same response throughout the dialog, as if a | | | username was valid, but the password was incorrect. | | | | | | It is important to note several things. First, this | | | vulnerability is derived directly from the SIP | | | specification, and it is a technical violation of RFC| | | 3261 (and subsequent RFCs, as of this date), for us to | | | return these responses. Second, this attack is made much | | | more difficult if administrators avoided creating| | | all-numeric usernames and especially all-numeric | | | passwords. This combination is extremely vulnerable for | | | servers connected to the public Internet, even with this | | | patch in place. While it may make configuring SIP| | | telephones easier in the short term, it has the | | | potential to cause grief over the long term. | ++ ++ | Resolution | Upgrade to one of the versions below, or apply one of the | || patches specified in the Patches section. | ++ +
[Full-disclosure] AST-2009-002: Remote Crash Vulnerability in SIP channel driver
Asterisk Project Security Advisory - AST-2009-002 ++ | Product | Asterisk | |-+--| | Summary | Remote Crash Vulnerability in SIP channel driver | |-+--| | Nature of Advisory | Denial of Service| |-+--| | Susceptibility| Remote Authenticated Sessions| |-+--| | Severity | Moderate | |-+--| | Exploits Known| No | |-+--| | Reported On | February 6, 2009 | |-+--| | Reported By | bugs.digium.com user klaus3000 | |-+--| | Posted On | March 10, 2009 | |-+--| | Last Updated On | March 10, 2009 | |-+--| | Advisory Contact | Joshua Colp| |-+--| | CVE Name | | ++ ++ | Description | When configured with pedantic=yes the SIP channel driver | | | performs extra request URI checking on an INVITE | | | received as a result of a SIP spiral. As part of this| | | extra checking the headers from the outgoing SIP INVITE | | | sent and the received SIP INVITE are compared. The code | | | incorrectly assumes that the string for each header | | | passed in will be non-NULL in all cases. This is | | | incorrect because if no headers are present the value| | | passed in will be NULL. | | | | | | The values passed into the code are now checked to be| | | non-NULL before being compared. | ++ ++ | Resolution | Upgrade to revision 174082 of the 1.4 branch, 174085 of | || the 1.6.0 branch, 174086 of the 1.6.1 branch, or one of | || the releases noted below. | || | || The pedantic option in the SIP channel driver can also be | || turned off to prevent this issue from occurring. | ++ ++ | Affected Versions| || | Product | Release | | || Series | | |+-+-| |Asterisk Open Source| 1.2.x | Not affected| |+-+-| |Asterisk Open Source| 1.4.x | Versions 1.4.22, 1.4.23,| || | 1.4.23.1| |+-+-| |Asterisk Open Source| 1.6.0.x | All versions prior to 1.6.0.6 | |+-+-| |Asterisk Open Source| 1.6.1.x | All versions prior to | || | 1.6.1.0-rc2 | |+-+-| | Asterisk Addons |
[Full-disclosure] AST-2009-001: Information leak in IAX2 authentication
Asterisk Project Security Advisory - AST-2009-001 ++ | Product| Asterisk| |--+-| | Summary| Information leak in IAX2 authentication | |--+-| | Nature of Advisory | Unauthorized data disclosure| |--+-| |Susceptibility| Remote Unauthenticated Sessions | |--+-| | Severity | Minor | |--+-| |Exploits Known| Yes | |--+-| | Reported On | October 15, 2008| |--+-| | Reported By | http://www.unprotectedhex.com | |--+-| | Posted On | January 7, 2009 | |--+-| | Last Updated On| January 7, 2009 | |--+-| | Advisory Contact | Tilghman Lesher < tlesher AT digium DOT com > | |--+-| | CVE Name | CVE-2009-0041 | ++ ++ | Description | IAX2 provides a different response during authentication | | | when a user does not exist, as compared to when the | | | password is merely wrong. This allows an attacker to | | | scan a host to find specific users on which to | | | concentrate password cracking attempts. | | | | | | The workaround involves sending back responses that are | | | valid for that particular site. For example, if it were | | | known that a site only uses RSA authentication, then | | | sending back an MD5 authentication request would | | | similarly identify the user as not existing. The | | | opposite is also true. So the solution is always to send | | | back an authentication response that corresponds to a| | | known frequency with which real authentication responses | | | are returned, when the user does not exist. This makes | | | it very difficult for an attacker to guess whether a | | | user exists or not, based upon this particular | | | mechanism. | ++ ++ | Resolution | Upgrade to revision 167259 of the 1.2 branch or 167260 of | || the 1.4 branch or one of the releases noted below.| ++ ++ | Affected Versions| || | Product | Release | | || Series | | |+-+-| |Asterisk Open Source| 1.2.x | All version prior to 1.2.31 | |+-+-| |Asterisk Open Source| 1.4.x | All versions prior to | || | 1.4.23-rc4 | |+-+-| |Asterisk Open Source| 1.6.x | All versions prior to | || | 1.6.0.3-rc2 | |+-+-| | Asteri
[Full-disclosure] AST-2008-012: Remote crash vulnerability in IAX2
Asterisk Project Security Advisory - AST-2008-012 ++ | Product| Asterisk| |--+-| | Summary| Remote crash vulnerability in IAX2 | |--+-| | Nature of Advisory | Remote Crash| |--+-| |Susceptibility| Remote Unauthenticated Sessions | |--+-| | Severity | Major | |--+-| |Exploits Known| No | |--+-| | Reported On | November 22, 2008 | |--+-| | Reported By |Jon Leren Scho/pzinsky | |--+-| | Posted On | | |--+-| | Last Updated On| December 9, 2008| |--+-| | Advisory Contact | Mark Michelson| |--+-| | CVE Name | | ++ ++ | Description | There is a possibility to remotely crash an Asterisk | | | server if the server is configured to use realtime IAX2 | | | users. The issue occurs if either an unknown user| | | attempts to authenticate or if a user that uses hostname | | | matching attempts to authenticate. | | | | | | The problem was due to a broken function call to | | | Asterisk's realtime configuration API. | ++ ++ | Resolution| The function calls in question have been fixed. | ++ ++ | Affected Versions| || | Product | Release Series | | |-++-| | Asterisk Open Source | 1.2.x | 1.2.26-1.2.30.3 | |-++-| | Asterisk Open Source | 1.4.x | Unaffected | |-++-| | Asterisk Open Source | 1.6.x | Unaffected | |-++-| | Asterisk Addons | 1.2.x | Unaffected | |-++-| | Asterisk Addons | 1.4.x | Unaffected | |-++-| | Asterisk Addons | 1.6.x | Unaffected | |-++-| |Asterisk Business Edition| A.x.x | Unaffected | |-++-| |Asterisk Business Edition| B.x.x | B.2.3.5-B.2.5.5 | |-++-| |Asterisk Business Edition| C.x.x | Unaffected | |-++-| | AsteriskNOW | 1.5 | Unaffected | |-++-| | s800i (Asterisk Appliance)| 1.2
[Full-disclosure] AST-2008-011: Traffic amplification in IAX2 firmware provisioning system
Asterisk Project Security Advisory - AST-2008-011 ++ | Product | Asterisk | |+---| | Summary | Traffic amplification in IAX2 firmware| || provisioning system | |+---| | Nature of Advisory | Traffic amplification attack | |+---| | Susceptibility | Remote unauthenticated sessions | |+---| | Severity | Critical | |+---| | Exploits Known | No| |+---| |Reported On | July 18, 2008 | |+---| |Reported By | Tilghman Lesher < tlesher AT digium DOT com > | |+---| | Posted On | July 22, 2008 | |+---| | Last Updated On | July 22, 2008 | |+---| | Advisory Contact | Tilghman Lesher < tlesher AT digium DOT com > | |+---| | CVE Name | CVE-2008-3264 | ++ ++ | Description | An attacker may request an Asterisk server to send part | | | of a firmware image. However, as this firmware download | | | protocol does not initiate a handshake, the source | | | address may be spoofed. Therefore, an IAX2 FWDOWNL | | | request for a firmware file may consume as little as 40 | | | bytes, yet produces a 1040 byte response. Coupled with | | | multiple geographically diverse Asterisk servers, an | | | attacker may flood an victim site with unwanted firmware | | | packets. | ++ ++ | Workaround | The only device which used this firmware upgrade | || procedure was the IAXy ATA device, and the last firmware | || upgrade was more than 18 months ago. It is unlikely that | || any IAXy devices in use today still need the last | || firmware upgrade. Therefore, deleting the firmware image | || from the directory where it is served from and sending a | || reload event to the Asterisk server is sufficient to | || purge the firmware image from the Asterisk server's | || memory. An Asterisk server which is unable to serve out | || the requested firmware image will reply to any such | || request with a much smaller REJECT packet, which is | || smaller than even the FWDOWNL packet. | ++ ++ | Resolution | This firmware download procedure has been disabled by | || default in Asterisk. If you should still need to upgrade | || IAXys in the field, there is an option 'allowfwdownload' | || which can be enabled. However, due to the reasons | || specified on the Workaround section, it is recommended| || that you leave this option disabled and enable it only on | || secure internal networks when an IAXy is initially| || provisioned. | ++ ++ | Affected Versions| |---
[Full-disclosure] AST-2008-010: Asterisk IAX 'POKE' resource exhaustion
Asterisk Project Security Advisory - AST-2008-010 ++ | Product| Asterisk| |--+-| | Summary| Asterisk IAX 'POKE' resource exhaustion | |--+-| | Nature of Advisory | Denial of service | |--+-| |Susceptibility| Remote Unauthenticated Sessions | |--+-| | Severity | Critical| |--+-| |Exploits Known| Yes | |--+-| | Reported On | July 18, 2008 | |--+-| | Reported By | Jeremy McNamara < jj AT nufone DOT net >| |--+-| | Posted On | July 22, 2008 | |--+-| | Last Updated On| July 22, 2008 | |--+-| | Advisory Contact | Tilghman Lesher < tlesher AT digium DOT com > | |--+-| | CVE Name | CVE-2008-3263 | ++ ++ | Description | By flooding an Asterisk server with IAX2 'POKE' | | | requests, an attacker may eat up all call numbers| | | associated with the IAX2 protocol on an Asterisk server | | | and prevent other IAX2 calls from getting through. Due | | | to the nature of the protocol, IAX2 POKE calls will | | | expect an ACK packet in response to the PONG packet sent | | | in response to the POKE. While waiting for this ACK | | | packet, this dialog consumes an IAX2 call number, as the | | | ACK packet must contain the same call number as was | | | allocated and sent in the PONG. | ++ ++ | Resolution | The implementation has been changed to no longer allocate | || an IAX2 call number for POKE requests. Instead, call | || number 1 has been reserved for all responses to POKE | || requests, and ACK packets referencing call number 1 will | || be silently dropped. | ++ +-+ |Commentary|This vulnerability was reported to us without exploit code, less than two days before public release, with exploit| | |code. Additionally, we were not informed of the public release of the exploit code and only learned this fact from a | | |third party. We reiterate that this is irresponsible security disclosure, and we recommend that in the future,| | |adequate time be given to fix any such vulnerability. Recommended reading:| | |http://www.oisafety.org/guidelines/Guidelines%20for%20Security%20Vulnerability%20Reporting%20and%20Response%20V2.0.pdf| +-+ ++ | Affected Versions| || | Product | Release | | | | Series| | |--+-+---| | Asterisk Open Source |1.0.x| All versions | |--
[Full-disclosure] AST-2008-009: AST-2008-007 Cryptographic keys generated by OpenSSL on Debian-based systems compromised
Asterisk Project Security Advisory - AST-2008-009 ++ | Product | Asterisk-Addons | |+---| | Summary | Remote crash vulnerability in ooh323 channel | || driver| |+---| | Nature of Advisory | Remote crash | |+---| | Susceptibility | Remote unauthenticated sessions | |+---| | Severity | Major | |+---| | Exploits Known | No| |+---| |Reported On | May 29, 2008 | |+---| |Reported By | Tzafrir Cohen | |+---| | Posted On | June 4, 2008 | |+---| | Last Updated On | June 4, 2008 | |+---| | Advisory Contact | Mark Michelson | |+---| | CVE Name | CVE-2008-2543 | ++ ++ | Description | The ooh323 channel driver provided in Asterisk Addons| | | used a TCP connection to pass commands internally. The | | | payload of these packets included addresses of memory| | | which were to be freed after the command was processed. | | | By sending arbitrary data to the listening TCP socket, | | | one could cause an almost certain crash since the| | | command handler would attempt to free invalid memory.| | | This problem was made worse by the fact that the | | | listening TCP socket was bound to whatever IP address| | | was specified by the "bindaddr" option in ooh323.conf| ++ ++ | Resolution | The TCP connection used by ooh323 has been replaced with | || a pipe. The effect of this change is that data from | || outside the ooh323 process may not be injected. | ++ ++ | Affected Versions| || | Product | Release | | | | Series| | |--+-+---| | Asterisk Open Source |1.0.x| N/A | |--+-+---| | Asterisk Open Source |1.2.x| N/A | |--+-+---| | Asterisk Open Source |1.4.x| N/A | |--+-+---| | Asterisk Addons |1.2.x| All versions prior to | | | | 1.2.9 | |--+-+---| | Asterisk Addons |1.4.x| All versions prior to | | | | 1.4.7 | |--+-+---| |Asterisk Business Edition |A.x.x| N/A | |--+-+---| |Asterisk Business Edition
[Full-disclosure] AST-2008-009: (Corrected subject) Remote crash vulnerability in ooh323 channel driver
Asterisk Project Security Advisory - AST-2008-009 ++ | Product | Asterisk-Addons | |+---| | Summary | Remote crash vulnerability in ooh323 channel | || driver| |+---| | Nature of Advisory | Remote crash | |+---| | Susceptibility | Remote unauthenticated sessions | |+---| | Severity | Major | |+---| | Exploits Known | No| |+---| |Reported On | May 29, 2008 | |+---| |Reported By | Tzafrir Cohen | |+---| | Posted On | June 4, 2008 | |+---| | Last Updated On | June 4, 2008 | |+---| | Advisory Contact | Mark Michelson | |+---| | CVE Name | CVE-2008-2543 | ++ ++ | Description | The ooh323 channel driver provided in Asterisk Addons| | | used a TCP connection to pass commands internally. The | | | payload of these packets included addresses of memory| | | which were to be freed after the command was processed. | | | By sending arbitrary data to the listening TCP socket, | | | one could cause an almost certain crash since the| | | command handler would attempt to free invalid memory.| | | This problem was made worse by the fact that the | | | listening TCP socket was bound to whatever IP address| | | was specified by the "bindaddr" option in ooh323.conf| ++ ++ | Resolution | The TCP connection used by ooh323 has been replaced with | || a pipe. The effect of this change is that data from | || outside the ooh323 process may not be injected. | ++ ++ | Affected Versions| || | Product | Release | | | | Series| | |--+-+---| | Asterisk Open Source |1.0.x| N/A | |--+-+---| | Asterisk Open Source |1.2.x| N/A | |--+-+---| | Asterisk Open Source |1.4.x| N/A | |--+-+---| | Asterisk Addons |1.2.x| All versions prior to | | | | 1.2.9 | |--+-+---| | Asterisk Addons |1.4.x| All versions prior to | | | | 1.4.7 | |--+-+---| |Asterisk Business Edition |A.x.x| N/A | |--+-+---| |Asterisk Business Edition
[Full-disclosure] AST-2008-008: Remote Crash Vulnerability in SIP channel driver when run in pedantic mode
Asterisk Project Security Advisory - AST-2008-008 ++ | Product | Asterisk | |+---| | Summary | Remote Crash Vulnerability in SIP channel driver | || when run in pedantic mode | |+---| | Nature of Advisory | Denial of Service | |+---| | Susceptibility | Remote Unauthenticated Sessions | |+---| | Severity | Critical | |+---| | Exploits Known | No| |+---| |Reported On | May 8, 2008 | |+---| |Reported By | Hooi Ng (bugs.digium.com user hooi) | |+---| | Posted On | May 8, 2008 | |+---| | Last Updated On | June 3, 2008 | |+---| | Advisory Contact | Joshua Colp <[EMAIL PROTECTED]>| |+---| | CVE Name | CVE-2008-2119 | ++ ++ | Description | During pedantic SIP processing the From header value is | | | passed to the ast_uri_decode function to be decoded. In | | | two instances it is possible for the code to cause a | | | crash as the From header value is not checked to be | | | non-NULL before being passed to the function.| ++ ++ | Resolution | The From header value is now copied into a buffer before | || being passed to the ast_uri_decode function if pedantic | || is enabled and in another instance it is checked to be| || non-NULL before being passed. | ++ ++ | Affected Versions| || |Product| Release | | | | Series | | |---++---| | Asterisk Open Source | 1.0.x| All versions | |---++---| | Asterisk Open Source | 1.2.x| All versions prior to | | || 1.2.29| |---++---| | Asterisk Open Source | 1.4.x| Not Affected | |---++---| | Asterisk Business Edition | A.x.x| All versions | |---++---| | Asterisk Business Edition | B.x.x| All versions prior to | | || B.2.5.3 | |---++---| | Asterisk Business Edition | C.x.x| Not Affected | |---++---| | AsteriskNOW | 1.0.x| Not Affected | |---++---| | Asterisk Appliance Developer | 0.x.x| Not Affected | | Kit || | |---
[Full-disclosure] /home/putnopvut/asa/AST-2008-007/AST-2008-007: AST-2008-007 Cryptographic keys generated by OpenSSL on Debian-based systems compromised
Asterisk Project Security Advisory - AST-2008-007 ++ | Product | Asterisk | |+---| | Summary | Asterisk installations using cryptographic keys | || generated by Debian-based systems may be using a | || vulnerable implementation of OpenSSL | |+---| | Nature of Advisory | Compromised cryptographic keys| |+---| | Susceptibility | Users of RSA for IAX2 authentication and users of | || DUNDi | |+---| | Severity | Critical | |+---| | Exploits Known | None specific to Asterisk, but OpenSSL exploits | || are circulating | |+---| |Reported On | 13 May 2008 | |+---| |Reported By | Luciano Bello | |+---| | Posted On | May 16, 2008 | |+---| | Last Updated On | May 22, 2008 | |+---| | Advisory Contact | Mark Michelson < mmichelson AT digium DOT com > | |+---| | CVE Name | CVE-2008-0166 | ++ ++ | Description | The Debian team recently announced that cryptographic| | | keys generated by their OpenSSL package were created | | | using a random number generator with predictable | | | results. This affects Debian's stable and unstable | | | distributions, as well as Debian-derived systems such as | | | Ubuntu. See the links in the "Links" session of this | | | advisory for more information about the vulnerability. | | | | | | Asterisk is not directly affected by this vulnerability; | | | however, Asterisk's 'astgenkey' script uses OpenSSL in | | | order to generate cryptographic keys. Therefore, | | | Asterisk users who use RSA for authentication of IAX2| | | calls and who use DUNDi may be using compromised keys. | | | This vulnerability affects any such installation whose | | | cryptographic keys were generated on a Debian-based | | | system, even if the Asterisk installation itself is not | | | on a Debian-based system.| ++ ++ | Resolution | Since this is not a vulnerability in Asterisk itself but | || in a tool that Asterisk uses, there will be no new| || releases made; however, users who are affected by the | || Debian OpenSSL vulnerability are strongly encouraged to | || upgrade their package of OpenSSL to an uncompromised | || version (version 0.9.8c-4 or later) and regenerate all| || keys used by Asterisk.| ++ ++ | Affected Versions| || | Product | Release Series | | |---++---| | Asterisk Open Source| 1.0.x | N/A | |
[Full-disclosure] AST-2008-002: Two buffer overflows in RTP Codec Payload Handling
Asterisk Project Security Advisory - AST-2008-002 ++ | Product | Asterisk | |+---| | Summary | Two buffer overflows in RTP Codec Payload | || Handling | |+---| | Nature of Advisory | Exploitable Buffer Overflow | |+---| | Susceptibility | Remote Unauthenticated Sessions | |+---| | Severity | Critical | |+---| | Exploits Known | No| |+---| |Reported On | March 11, 2008| |+---| |Reported By | Mu Security Research Team | |+---| | Posted On | March 18, 2008| |+---| | Last Updated On | March 18, 2008| |+---| | Advisory Contact | Joshua Colp <[EMAIL PROTECTED]>| |+---| | CVE Name | CVE-2008-1289 | ++ ++ | Description | Two buffer overflows exist in the RTP payload handling | | | code of Asterisk. Both overflows can be caused by an | | | INVITE or any other SIP packet with SDP. The request may | | | need to be authenticated depending on configuration of | | | the Asterisk installation. | | | | | | The first overflow is caused by sending a payload number | | | that surpasses the programmed maximum payload number of | | | 256. This causes an invalid memory write outside of the | | | buffer. While this does not allow the attacker to write | | | arbitrary data it does allow the attacker to write a 0 | | | to other memory locations. | | | | | | The second overflow is caused by sending more than 32| | | RTP payloads. This causes a buffer on the stack to | | | overflow allowing the attacker to write values between 0 | | | and 256 (the maximum payload number) to memory locations | | | after the buffer.| ++ ++ | Resolution | Two fixes have been added to check the provided data to | || ensure it does not exceed static buffer sizes.| || | || When removing internal information regarding an RTP | || payload the given payload number will now be checked to | || make sure it does not exceed the maximum acceptable | || payload number. | || | || When reading RTP payloads from SDP a maximum limit of 32 | || in total will be enforced. Any further RTP payloads will | || be discarded. | ++ ++ | Affected Versions| || | Product | Release | | |
[Full-disclosure] AST-2008-003: Unauthenticated calls allowed from SIP channel driver
Asterisk Project Security Advisory - AST-2008-003 ++ | Product | Asterisk | |+---| | Summary | Unauthenticated calls allowed from SIP channel| || driver| |+---| | Nature of Advisory | Authentication Bypass | |+---| | Susceptibility | Remote Unauthenticated Sessions | |+---| | Severity | Major | |+---| | Exploits Known | No| |+---| |Reported On | March 12, 2008| |+---| |Reported By | Jason Parker <[EMAIL PROTECTED]> | |+---| | Posted On | March 18, 2008| |+---| | Last Updated On | March 18, 2008| |+---| | Advisory Contact | Jason Parker <[EMAIL PROTECTED]> | |+---| | CVE Name | CVE-2008-1332 | ++ ++ | Description | Unauthenticated calls can be made via the SIP channel| | | driver using an invalid From header. This acts similarly | | | to the SIP configuration option 'allowguest=yes', in | | | that calls with a specially crafted From header would be | | | sent to the PBX in the context specified in the general | | | section of sip.conf. | ++ ++ | Resolution | A fix has been added which checks for the option | || 'allowguest' to be enabled before determining that| || authentication is not required. | || | || As a workaround, modify the context in the general| || section of sip.conf to point to a non-trusted location| || (example: a non-existent context, or a context that does | || nothing but hang up the call).| ++ ++ | Affected Versions| || | Product| Release | | | | Series | | |--+-+---| | Asterisk Open Source | 1.0.x | All versions | |--+-+---| | Asterisk Open Source | 1.2.x | All versions prior to 1.2.27 | |--+-+---| | Asterisk Open Source | 1.4.x | All versions prior to | | | | 1.4.18.1 and 1.4.19-rc3 | |--+-+---| | Asterisk Business Edition | A.x.x | All versions | |--+-+---| | Asterisk Business Edition | B.x.x | All versions prior to B.2.5.1 | |--+-+---| | Asterisk Business Edition | C.x.x | All versions prior to C.1.6.2 | |--+-+---| | Aster
[Full-disclosure] AST-2008-005: HTTP Manager ID is predictable
Asterisk Project Security Advisory - AST-2008-005 ++ | Product| Asterisk| |--+-| | Summary| HTTP Manager ID is predictable | |--+-| | Nature of Advisory | An attacker could hijack a manager session | |--+-| |Susceptibility| All users using the HTTP manager port | |--+-| | Severity | Minor | |--+-| |Exploits Known| No | |--+-| | Reported On | February 25, 2008 | |--+-| | Reported By | Dino A. Dai Zovi < ddz AT theta44 DOT org > | |--+-| | Posted On | March 18, 2008 | |--+-| | Last Updated On| March 18, 2008 | |--+-| | Advisory Contact | Tilghman Lesher < tlesher AT digium DOT com > | |--+-| | CVE Name | CVE-2008-1390 | ++ ++ | Description | Due to the way that manager IDs are calculated, this | | | 32-bit integer is likely to have a much larger than | | | average number of 1s, which greatly reduces the number | | | of guesses an attacker would have to make to | | | successfully predict the manager ID, which is used | | | across multiple HTTP queries to hold manager state. | | | | | | "The issue is the generation of session ids in the | | | AsteriskGUI HTTP server. | | | | | | When using Glibc, the implementation and state of rand() | | | and random() is | | | | | | shared. Asterisk uses random() to issue MD5 digest | | | authentication | | | | | | challenges and rand() bitwise-ORed with a malloc'd | | | pointer to generate | | | | | | AsteriskGUI session identifiers. An attacker can | | | synchronize with | | | | | | random() by retrieving 32 successive challenges and | | | predict all subsequent | | | | | | output of calls to random() and rand(). Because a| | | pointer returned by | | | | | | malloc has at best 21 bits of entropy, the attacker will | | | on average only | | | | | | need to guess 1448 session identifiers in order to steal | | | an established | | | | | | session. | | | | | | "The crux of the problem is that under Glibc, the| | |
[Full-disclosure] AST-2008-004: Format String Vulnerability in Logger and Manager
Asterisk Project Security Advisory - AST-2008-004 ++ | Product | Asterisk | |+---| | Summary | Format String Vulnerability in Logger and Manager | |+---| | Nature of Advisory | Denial of Service | |+---| | Susceptibility | Remote Unauthenticated Sessions | |+---| | Severity | Moderate | |+---| | Exploits Known | No| |+---| |Reported On | March 13, 2008| |+---| |Reported By | Steve Davies (bugs.digium.com user stevedavies) | || | || Brandon Kruse (bugs.digium.com user bkruse) | |+---| | Posted On | March 18, 2008| |+---| | Last Updated On | March 18, 2008| |+---| | Advisory Contact | Joshua Colp <[EMAIL PROTECTED]>| |+---| | CVE Name | CVE-2008-1333 | ++ ++ | Description | Logging messages displayed using the ast_verbose logging | | | API call are not displayed as a character string, they | | | are displayed as a format string.| | | | | | Output as a result of the Manager command "command" is | | | not appended to the resulting response message as a | | | character string, it is appended as a format string. | | | | | | It is possible in both instances for an attacker to | | | provide a formatted string as a value for input which| | | can cause a crash. | ++ ++ | Resolution | Input given to both the ast_verbose logging API call and | || astman_append function is now interpreted as a character | || string and not as a format string.| ++ ++ | Affected Versions| || | Product | Release | | || Series | | |+-+-| |Asterisk Open Source| 1.0.x | Unaffected | |+-+-| |Asterisk Open Source| 1.2.x | Unaffected | |+-+-| |Asterisk Open Source| 1.4.x | Unaffected | |+-+-| |Asterisk Open Source| 1.6.x | All versions prior to | || | 1.6.0-beta6 | |+-+-| | Asterisk Business Edition | A.x.x | Unaffected | |+-+-| | Asterisk Business Edition | B.x.x | Unaffected | |---
[Full-disclosure] AST-2008-001: Crash from transfer using BYE with Also header
Asterisk Project Security Advisory - AST-2008-001 ++ | Product | Asterisk | |-+--| | Summary | Remote Crash Vulnerability in SIP channel driver | |-+--| | Nature of Advisory | Denial of Service| |-+--| | Susceptibility| Remote Unauthenticated Sessions | |-+--| | Severity | Critical | |-+--| | Exploits Known| No | |-+--| | Reported On | December 26, 2007| |-+--| | Reported By | Grey VoIP (bugs.digium.com user greyvoip)| |-+--| | Posted On | January 2, 2008 | |-+--| | Last Updated On | January 2, 2008 | |-+--| | Advisory Contact | Joshua Colp <[EMAIL PROTECTED]> | |-+--| | CVE Name | | ++ ++ | Description | The handling of the BYE with Also transfer method was| | | broken during the development of Asterisk 1.4. If a | | | transfer attempt is made using this method the system| | | will immediately crash upon handling the BYE message due | | | to trying to copy data into a NULL pointer. It is| | | important to note that a dialog must have already been | | | established and up in order for this to happen. | ++ ++ | Resolution | A fix has been added so that the BYE with Also transfer | || method now properly allocates and uses the transfer data | || structure. It will no longer try to copy data into a NULL | || pointer and will operate properly.| ++ ++ | Affected Versions| || | Product | Release | | || Series| | |+-+-| |Asterisk Open Source|1.0.x| Unaffected | |+-+-| |Asterisk Open Source|1.2.x| Unaffected | |+-+-| |Asterisk Open Source|1.4.x| All versions prior to | || | 1.4.17 | |+-+-| | Asterisk Business Edition |A.x.x| Unaffected | |+-+-| | Asterisk Business Edition |B.x.x| Unaffected | |+-+-| | Asterisk Business Edition |C.x.x| All versions prior to | || | C.1.0-beta8 | |+-+-| |AsteriskNOW | pre-release | All versions prior to beta7 | |+-+-| | Asterisk Appliance
[Full-disclosure] AST-2007-025 - SQL Injection issue in res_config_pgsql
Asterisk Project Security Advisory - AST-2007-025 ++ | Product| Asterisk| |--+-| | Summary| SQL Injection issue in res_config_pgsql | |--+-| | Nature of Advisory | SQL Injection | |--+-| |Susceptibility| Remote Unauthenticated Sessions | |--+-| | Severity | Moderate| |--+-| |Exploits Known| No | |--+-| | Reported On | November 29, 2007 | |--+-| | Reported By | P. Chisteas | |--+-| | Posted On | November 29, 2007 | |--+-| | Last Updated On| November 29, 2007 | |--+-| | Advisory Contact | Tilghman Lesher | |--+-| | CVE Name | | ++ ++ | Description | Input buffers were not properly escaped when providing | | | lookup data to the Postgres Realtime Engine. An attacker | | | could potentially compromise the administrative database | | | containing users' usernames and passwords used for SIP | | | authentication, among other things. | | | | | | This module is not active by default and must be | | | configured for use by the administrator. Default | | | installations of Asterisk are not affected. | ++ ++ | Workaround | Convert your installation to use res_config_odbc with the | || PgsqlODBC driver. This module provides similar| || functionality but is not vulnerable. | ++ ++ |Resolution| Upgrade to Asterisk release 1.4.15 or higher. | ++ ++ | Affected Versions| || | Product| Release | | | | Series| | |--+-+---| | Asterisk Open Source |1.0.x| None | |--+-+---| | Asterisk Open Source |1.2.x| None | |--+-+---| | Asterisk Open Source |1.4.x| 1.4.14 and previous | | | | versions | |--+-+---| | Asterisk Business Edition |A.x.x| None | |--+-+---| | Asterisk Business Edition |B.x.x| None | |--+-+---| | AsteriskNOW | pre-release | None | |--+-+---| | Asterisk Appliance Developer |0.x.x| None
[Full-disclosure] AST-2007-026 - SQL Injection issue in cdr_pgsql
Asterisk Project Security Advisory - AST-2007-026 ++ | Product| Asterisk| |--+-| | Summary| SQL Injection issue in cdr_pgsql| |--+-| | Nature of Advisory | SQL Injection | |--+-| |Susceptibility| Remote Authenticated Sessions | |--+-| | Severity | Moderate| |--+-| |Exploits Known| No | |--+-| | Reported On | November 29, 2007 | |--+-| | Reported By | Tilghman Lesher | |--+-| | Posted On | November 29, 2007 | |--+-| | Last Updated On| November 29, 2007 | |--+-| | Advisory Contact | Tilghman Lesher | |--+-| | CVE Name | | ++ ++ | Description | Input buffers were not properly escaped when providing | | | the ANI and DNIS strings to the Call Detail Record | | | Postgres logging engine. An attacker could potentially | | | compromise the administrative database containing users' | | | usernames and passwords used for SIP authentication, | | | among other things. | | | | | | This module is not active by default and must be | | | configured for use by the administrator. Default | | | installations of Asterisk are not affected. | ++ ++ | Workaround | Convert your installation to use cdr_odbc with the| || PgsqlODBC driver. This module provides similar| || functionality but is not vulnerable. | ++ ++ |Resolution| Upgrade to Asterisk release 1.4.15 or higher. | ++ ++ | Affected Versions| || | Product | Release| | | |Series| | |--+--+--| | Asterisk Open Source |1.0.x | All versions | |--+--+--| | Asterisk Open Source |1.2.x | 1.2.24 and previous | |--+--+--| | Asterisk Open Source |1.4.x | 1.4.14 and previous | |--+--+--| |Asterisk Business Edition |A.x.x | All versions | |--+--+--| |Asterisk Business Edition |B.x.x | B.2.3.3 and previous | |--+--+--| | AsteriskNOW| pre-release | None | |--+--+--| | Asterisk Appliance Developer Kit |0.x.x | None
[Full-disclosure] AST-2007-026 - SQL Injection issue in cdr_pgsql
Asterisk Project Security Advisory - AST-2007-026 ++ | Product| Asterisk| |--+-| | Summary| SQL Injection issue in cdr_pgsql| |--+-| | Nature of Advisory | SQL Injection | |--+-| |Susceptibility| Remote Authenticated Sessions | |--+-| | Severity | Moderate| |--+-| |Exploits Known| No | |--+-| | Reported On | November 29, 2007 | |--+-| | Reported By | Tilghman Lesher | |--+-| | Posted On | November 29, 2007 | |--+-| | Last Updated On| November 29, 2007 | |--+-| | Advisory Contact | Tilghman Lesher | |--+-| | CVE Name | CVE-2007-6170 | ++ ++ | Description | Input buffers were not properly escaped when providing | | | the ANI and DNIS strings to the Call Detail Record | | | Postgres logging engine. An attacker could potentially | | | compromise the administrative database containing users' | | | usernames and passwords used for SIP authentication, | | | among other things. | | | | | | This module is not active by default and must be | | | configured for use by the administrator. Default | | | installations of Asterisk are not affected. | ++ ++ | Workaround | Convert your installation to use cdr_odbc with the| || PgsqlODBC driver. This module provides similar| || functionality but is not vulnerable. | ++ ++ |Resolution| Upgrade to Asterisk release 1.4.15 or higher. | ++ ++ | Affected Versions| || |Product| Release | | | | Series| | |---+-+--| | Asterisk Open Source |1.0.x| All versions | |---+-+--| | Asterisk Open Source |1.2.x| 1.2.24 and previous | |---+-+--| | Asterisk Open Source |1.4.x| 1.4.14 and previous | |---+-+--| | Asterisk Business Edition |A.x.x| All versions | |---+-+--| | Asterisk Business Edition |B.x.x| B.2.3.3 and previous | |---+-+--| | Asterisk Business Edition |C.x.x| C.1.0-beta5 and previous | |---+-+--| | AsteriskNOW | pre-release | None
[Full-disclosure] AST-2007-025 - SQL Injection issue in res_config_pgsql
Asterisk Project Security Advisory - AST-2007-025 ++ | Product| Asterisk| |--+-| | Summary| SQL Injection issue in res_config_pgsql | |--+-| | Nature of Advisory | SQL Injection | |--+-| |Susceptibility| Remote Unauthenticated Sessions | |--+-| | Severity | Moderate| |--+-| |Exploits Known| No | |--+-| | Reported On | November 29, 2007 | |--+-| | Reported By | P. Chisteas | |--+-| | Posted On | November 29, 2007 | |--+-| | Last Updated On| November 29, 2007 | |--+-| | Advisory Contact | Tilghman Lesher | |--+-| | CVE Name | CVE-2007-6171 | ++ ++ | Description | Input buffers were not properly escaped when providing | | | lookup data to the Postgres Realtime Engine. An attacker | | | could potentially compromise the administrative database | | | containing users' usernames and passwords used for SIP | | | authentication, among other things. | | | | | | This module is not active by default and must be | | | configured for use by the administrator. Default | | | installations of Asterisk are not affected. | ++ ++ | Workaround | Convert your installation to use res_config_odbc with the | || PgsqlODBC driver. This module provides similar| || functionality but is not vulnerable. | ++ ++ |Resolution| Upgrade to Asterisk release 1.4.15 or higher. | ++ ++ | Affected Versions| || | Product | Release | | || Series| | |+-+-| |Asterisk Open Source|1.0.x| None| |+-+-| |Asterisk Open Source|1.2.x| None| |+-+-| |Asterisk Open Source|1.4.x| 1.4.14 and previous | || | versions| |+-+-| | Asterisk Business Edition |A.x.x| None| |+-+-| | Asterisk Business Edition |B.x.x| None| |+-+-| | Asterisk Business Edition |C.x.x| C.1.0-beta5 and previous| || | versions| |+-+---
[Full-disclosure] AST-2007-023 - SQL Injection Vulnerabilty in cdr_addon_mysql
Asterisk Project Security Advisory - AST-2007-023 ++ | Product | Asterisk-Addons | |+---| | Summary | SQL Injection Vulnerability in cdr_addon_mysql| |+---| | Nature of Advisory | SQL Injection | |+---| | Susceptibility | Remote Unauthenticated Sessions | |+---| | Severity | Minor | |+---| | Exploits Known | Yes | |+---| |Reported On | October 16, 2007 | |+---| |Reported By | Humberto Abdelnur| |+---| | Posted On | October 16, 2007 | |+---| | Last Updated On | October 16, 2007 | |+---| | Advisory Contact | Tilghman Lesher| |+---| | CVE Name | CVE-2007-5488 | ++ ++ | Description | The source and destination numbers for a given call are | | | not correctly escaped by the cdr_addon_mysql module when | | | inserting a record. Therefore, a carefully crafted | | | destination number sent to an Asterisk system running| | | cdr_addon_mysql could escape out of a SQL data field and | | | create another query. This vulnerability is made all the | | | more severe if a user were using realtime data, since| | | the data may exist in the same database as the inserted | | | call detail record, thus creating all sorts of possible | | | data corruption and invalidation issues. | ++ ++ | Resolution | The Asterisk-addons package is not distributed with | || Asterisk, nor is it installed by default. The module may | || be either disabled or upgraded to fix this issue. | ++ ++ | Affected Versions| || | Product| Release | | | | Series| | |--+-+---| | Asterisk Open Source |1.0.x| All versions | |--+-+---| | Asterisk Open Source |1.2.x| All versions prior to | | | | asterisk-addons-1.2.8 | |--+-+---| | Asterisk Open Source |1.4.x| All versions prior to | | | | asterisk-addons-1.4.4 | |--+-+---| | Asterisk Business |A.x.x| Unaffected| | Edition| | | |--+-+---| | Asterisk Business |B.x.x| Unaffected| | Edition| | | |--+-+---| | AsteriskNOW | pre-release | Unaffected| |--+-
[Full-disclosure] AST-2007-021: Crash from invalid/corrupted MIME bodies when using voicemail with IMAP storage
Asterisk Project Security Advisory - AST-2007-021 ++ | Product | Asterisk | |+---| | Summary | Crash from invalid/corrupted MIME bodies when | || using voicemail with IMAP storage | |+---| | Nature of Advisory | Crash | |+---| | Susceptibility | Remote Unauthenticated Sessions | |+---| | Severity | minor | |+---| | Exploits Known | No| |+---| |Reported On | August 23, 2007 | |+---| |Reported By | Kevin Stewart | |+---| | Posted On | August 24, 2007 | |+---| | Last Updated On | August 24, 2007 | |+---| | Advisory Contact | Mark Michelson <[EMAIL PROTECTED]>| |+---| | CVE Name |CVE-2007-4521 | ++ ++ | Description | If Asterisk is configured to use IMAP as its backend | | | storage for voicemail, then an e-mail sent to a user | | | with an invalid/corrupted MIME body will cause Asterisk | | | to crash when the user listens to their voicemail using | | | the phone. | | | | | | This does not affect any other voicemail storage option, | | | nor does it affect users who check their voicemail via | | | e-mail when using IMAP storage. | ++ ++ | Resolution | Since this is a minor issue, a new release is not | || immediately planned. However, the issue will be fixed in | || Asterisk Open Source version 1.4.12 when it is released. | ++ ++ | Affected Versions| || |Product | Release | | || Series| | |+-+-| | Asterisk Open Source |1.0.x| Not Affected| |+-+-| | Asterisk Open Source |1.2.x| Not Affected| |+-+-| | Asterisk Open Source |1.4.x| Versions 1.4.5 - 1.4.11 | |+-+-| | Asterisk Business Edition|A.x.x| Not Affected| |+-+-| | Asterisk Business Edition|B.x.x| Not Affected| |+-+-| | AsteriskNOW | pre-release | Not Affected| |+-+-| | Asterisk Appliance Developer |0.x.x| Not Affected| | Kit | | | |+-+-| | s800i (Asteris
[Full-disclosure] AST-2007-020: Resource Exhaustion Vulnerability in Asterisk SIP channel driver
Asterisk Project Security Advisory - AST-2007-020 ++ | Product | Asterisk | |+---| | Summary | Resource Exhaustion vulnerability in SIP channel | || driver| |+---| | Nature of Advisory | Denial of Service | |+---| | Susceptibility | Remote Unauthenticated Sessions | |+---| | Severity | Moderate | |+---| | Exploits Known | No| |+---| |Reported On | August 9, 2007| |+---| |Reported By | Jon Moldenauer (bugs.digium.com user | || jmoldenhauer) | |+---| | Posted On | August 21, 2007 | |+---| | Last Updated On | August 21, 2007 | |+---| | Advisory Contact | Russell Bryant <[EMAIL PROTECTED]> | |+---| | CVE Name | CVE-2007-4455 | ++ ++ | Description | The handling of SIP dialog history was broken during the | | | development of Asterisk 1.4. Regardless of whether | | | recording SIP dialog history is turned on or off, the| | | history is still recorded in memory. Furthermore, there | | | is no upper limit on how many history items will be | | | stored for a given SIP dialog. | | | | | | It is possible for an attacker to use up all of the | | | system's memory by creating a SIP dialog that records| | | many entires in the history and never ends. It is also | | | worth noting for the sake of doing the math to calculate | | | what it would take to exploit this that each SIP history | | | entry will take up a maximum of 88 bytes.| ++ ++ | Resolution | The fix that has been added to chan_sip is to restore the | || functionality where SIP dialog history is not recorded in | || memory if it is not enabled. Furthermore, a maximum of 50 | || entires in the history will be stored for each dialog | || when recording history is turned on. | || | || The only way to avoid this problem in affected versions | || of Asterisk is to disable chan_sip. If chan_sip is being | || used, the system must be upgraded to a version that has | || this issue resolved. | ++ ++ | Affected Versions| || | Product | Release | | | | Series| | |--+-+---| | Asterisk Open Source |1.0.x| Not affected | |--+-+---| | Asterisk Open Source |1.2.x| Not affected | |-
