Asterisk Project Security Advisory - The multi-part body parser in PJSIP contains a logical error that can make certain multi-part body parts attempt to read memory from outside the allowed boundaries. A specially-crafted packet can trigger these invalid reads and potentially induce a crash.
dffc64dd4e5928c9a21df82604d70762c92068e2145f6bc7293d2eb080f35bbcAsterisk Project Security Advisory - A remote crash can be triggered by sending a SIP packet to Asterisk with a specially crafted CSeq header and a Via header with no branch parameter. The issue is that the PJSIP RFC 2543 transaction key generation algorithm does not allocate a large enough buffer. By overrunning the buffer, the memory allocation table becomes corrupted, leading to an eventual crash.
60ef218a0c056d6aec0776e903fa217b0958d9a103decc2e014f49f5d98412d9Asterisk Project Security Advisory - The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace.
09dc558d0dc500657f84397b2183696f7dff962f91ac1d27039bfe9a9157f5a9Asterisk Project Security Advisory - Asterisk can be crashed remotely by sending an ACK to it from an endpoint username that Asterisk does not recognize. Most SIP request types result in an "artificial" endpoint being looked up, but ACKs bypass this lookup. The resulting NULL pointer results in a crash when attempting to determine if ACLs should be applied. This issue was introduced in the Asterisk 13.10 release and only affects that release.
4fed701bc3c34b63cb35edd8fe1f32e85f372f14481d360d07df779759acb717Asterisk Project Security Advisory - PJProject has a limit on the number of TCP connections that it can accept. Furthermore, PJProject does not close TCP connections it accepts. By default, this value is approximately 60. An attacker can deplete the number of allowed TCP connections by opening TCP connections and sending no data to Asterisk. If PJProject has been compiled in debug mode, then once the number of allowed TCP connections has been depleted, the next attempted TCP connection to Asterisk will crash due to an assertion in PJProject. If PJProject has not been compiled in debug mode, then any further TCP connection attempts will be rejected. This makes Asterisk unable to process TCP SIP traffic. Note that this only affects TCP/TLS, since UDP is connectionless. Also note that this does not affect chan_sip.
122646434ef3ffdbf4f736e5ba7648af84f7dff43cfe57162960b91becc450fdAsterisk Project Security Advisory - Asterisk may crash when processing an incoming REGISTER request if that REGISTER contains a Contact header with a lengthy URI. This crash will only happen for requests that pass authentication. Unauthenticated REGISTER requests will not result in a crash occurring. This vulnerability only affects Asterisk when using PJSIP as its SIP stack. The chan_sip module does not have this problem.
afafbceea5744913691ffdaa1e188cde546064b48141faa603d4ecb51464d088Asterisk Project Security Advisory - CVE-2014-8150 reported an HTTP request injection vulnerability in libcURL. Asterisk uses libcURL in its func_curl.so module (the CURL() dialplan function), as well as its res_config_curl.so (cURL realtime backend) modules. Since Asterisk may be configured to allow for user-supplied URLs to be passed to libcURL, it is possible that an attacker could use Asterisk as an attack vector to inject unauthorized HTTP requests if the version of libcURL installed on the Asterisk server is affected by CVE-2014-8150.
29b34a38aceb27270a9742ce1a2328d92a59cc3a2103a91b0fcb2d89ef89580aAsterisk Project Security Advisory - Asterisk may be configured to only allow specific audio or video codecs to be used when communicating with a particular endpoint. When an endpoint sends an SDP offer that only lists codecs not allowed by Asterisk, the offer is rejected. However, in this case, RTP ports that are allocated in the process are not reclaimed. This issue only affects the PJSIP channel driver in Asterisk. Users of the chan_sip channel driver are not affected. As the resources are allocated after authentication, this issue only affects communications with authenticated endpoints.
e9d6055114e8feed6c629f9b504bd51b2f5d85998f7eb3481512d7fdd54bfc05Asterisk Project Security Advisory - It is possible to trigger a crash in Asterisk by sending a SIP SUBSCRIBE request with unexpected mixes of headers for a given event package. The crash occurs because Asterisk allocates data of one type at one layer and then interprets the data as a separate type at a different layer. The crash requires that the SUBSCRIBE be sent from a configured endpoint, and the SUBSCRIBE must pass any authentication that has been configured. Note that this crash is Asterisk's PJSIP-based res_pjsip_pubsub module and not in the old chan_sip module.
1aa9c0ed7726161fa37c98a6ed477a60bbea2afc25657fb55981f7558fc19432Asterisk Project Security Advisory - When a SIP transaction timeout caused a subscription to be terminated, the action taken by Asterisk was guaranteed to deadlock the thread on which SIP requests are serviced. Note that this behavior could only happen on established subscriptions, meaning that this could only be exploited if an attacker bypassed authentication and successfully subscribed to a real resource on the Asterisk server.
e21cdaf3769c98aa4d94fbad230c4dee902998f19cff528885690e12ebe7363aAsterisk Project Security Advisory - A remotely exploitable crash vulnerability exists in the PJSIP channel driver's handling of SUBSCRIBE requests. If a SUBSCRIBE request is received for the presence Event, and that request has no Accept headers, Asterisk will attempt to access an invalid pointer to the header location. Note that this issue was fixed during a re-architecture of the res_pjsip_pubsub module in Asterisk 12.1.0. As such, this issue has already been resolved in a released version of Asterisk. This notification is being released for users of Asterisk 12.0.0.
6e56eb72b35ebd81d6277efa644e9243116635a3b307f8a61ee9f768038f90ecAsterisk Project Security Advisory - AST-2012-014, fixed in January of this year, contained a fix for Asterisk's HTTP server since it was susceptible to a remotely-triggered crash. The fix put in place fixed the possibility for the crash to be triggered, but a possible denial of service still exists if an attacker sends one or more HTTP POST requests with very large Content-Length values.
7a1b07b00aaec1a54c4a018a3363c0392f9374f44ef12df07d9140f78bd6c056Asterisk Project Security Advisory - Asterisk has several places where messages received over various network transports may be copied in a single stack allocation. In the case of TCP, since multiple packets in a stream may be concatenated together, this can lead to large allocations that overflow the stack. In the case of SIP, it is possible to do this before a session is established. Keep in mind that SIP over UDP is not affected by this vulnerability. With HTTP and XMPP, a session must first be established before the vulnerability may be exploited. The XMPP vulnerability exists both in the res_jabber.so module in Asterisk 1.8, 10, and 11 as well as the res_xmpp.so module in Asterisk 11.
0eda4a18f48435624a5845545ce7bded4867ce8731fbb4a94114a41619146e72Asterisk Project Security Advisory - Host access rules using permit= and deny= configurations behave unpredictably if the CIDR notation /0 is used. Depending on the system's behavior, this may act as desired, but in other cases it might not, thereby allowing access from hosts that should be denied.
1b93b33da3d5184c379547d81b5050d83dfdbc328a9e859576be03060c04eeb1Asterisk Project Security Advisory - An attacker can cause Asterisk to crash remotely by sending malformed RTP text frames. While the attacker can cause Asterisk to crash, he cannot execute arbitrary remote code with this exploit.
7cdb743f4d11e06fb523803f2e6f40f3d378378fd8b9554a26d5efcd6ce48db9Asterisk Project Security Advisory - There is a possibility to remotely crash an Asterisk server if the server is configured to use realtime IAX2 users. The issue occurs if either an unknown user attempts to authenticate or if a user that uses hostname matching attempts to authenticate.
ef23e216fc8fbfffc2d988c07ff4844b1d8aeaf228f027c02fe7ede7f6bb7006Asterisk Project Security Advisory - Asterisk installations using cryptographic keys generated by Debian-based systems may be using a vulnerable implementation of OpenSSL.
9e1a273be0fa164aae613d72d1ac5770291a36e329b0ef6f8f88dc52d55212aeAsterisk Project Security Advisory - This advisory is a response to a false security vulnerability published in several places on the Internet. Had Asterisk's developers been notified prior to its publication, there would be no need for this. There is a potential for a buffer overflow in the sethdlc application; however, running this application requires root access to the server, which means that exploiting this vulnerability gains the attacker no more advantage than what he already has. As such, this is a bug, not a security vulnerability.
02df8010a89c1828facd661e89d15aad1405eb934f5d1de64b09abe22dfa82aeAsterisk Project Security Advisory - Multiple buffer overflows were discovered due to the use of sprintf in Asterisk's IMAP-specific voicemail code.
5e6beed403d366c145b69ef187cb6e89c970ef02a7ab577a2744fdfb90213dccAsterisk Project Security Advisory - Asterisk suffers from a crash vulnerability when passed invalid MIME bodies when using voicemail with IMAP storage.
1e9ae16db7079005556cba264366edeabcc3ffa5a92654001ff2788d29755e68
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed