what you don't know can hurt you

Asterisk Project Security Advisory - AST-2014-004

Asterisk Project Security Advisory - AST-2014-004
Posted Mar 11, 2014
Authored by Mark Michelson, Matt Jordan | Site asterisk.org

Asterisk Project Security Advisory - A remotely exploitable crash vulnerability exists in the PJSIP channel driver's handling of SUBSCRIBE requests. If a SUBSCRIBE request is received for the presence Event, and that request has no Accept headers, Asterisk will attempt to access an invalid pointer to the header location. Note that this issue was fixed during a re-architecture of the res_pjsip_pubsub module in Asterisk 12.1.0. As such, this issue has already been resolved in a released version of Asterisk. This notification is being released for users of Asterisk 12.0.0.

tags | advisory
advisories | CVE-2014-2289
MD5 | f9984c9c3245f1133638fada061a2940

Asterisk Project Security Advisory - AST-2014-004

Change Mirror Download
               Asterisk Project Security Advisory - AST-2014-004

Product Asterisk
Summary Remote Crash Vulnerability in PJSIP Channel Driver
Subscription Handling
Nature of Advisory Denial of Service
Susceptibility Remote Authenticated Sessions
Severity Moderate
Exploits Known No
Reported On January 14th, 2014
Reported By Mark Michelson
Posted On March 10, 2014
Last Updated On March 10, 2014
Advisory Contact Matt Jordan <mjordan AT digium DOT com>
CVE Name CVE-2014-2289

Description A remotely exploitable crash vulnerability exists in the
PJSIP channel driver's handling of SUBSCRIBE requests. If a
SUBSCRIBE request is received for the presence Event, and
that request has no Accept headers, Asterisk will attempt
to access an invalid pointer to the header location.

Note that this issue was fixed during a re-architecture of
the res_pjsip_pubsub module in Asterisk 12.1.0. As such,
this issue has already been resolved in a released version
of Asterisk. This notification is being released for users
of Asterisk 12.0.0.

Resolution Upgrade to Asterisk 12.1.0, or apply the patch noted below
to Asterisk 12.0.0.

Affected Versions
Product Release Series
Asterisk Open Source 12.x 12.0.0

Corrected In
Product Release
Asterisk Open Source 12.1.0

Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2014-004-12.diff Asterisk
12

Links https://issues.asterisk.org/jira/browse/ASTERISK-23139

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2014-004.pdf and
http://downloads.digium.com/pub/security/AST-2014-004.html

Revision History
Date Editor Revisions Made
03/05/14 Matt Jordan Initial Revision

Asterisk Project Security Advisory - AST-2014-004
Copyright (c) 2014 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.


Login or Register to add favorites

File Archive:

June 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    35 Files
  • 2
    Jun 2nd
    14 Files
  • 3
    Jun 3rd
    40 Files
  • 4
    Jun 4th
    22 Files
  • 5
    Jun 5th
    1 Files
  • 6
    Jun 6th
    1 Files
  • 7
    Jun 7th
    19 Files
  • 8
    Jun 8th
    14 Files
  • 9
    Jun 9th
    39 Files
  • 10
    Jun 10th
    20 Files
  • 11
    Jun 11th
    22 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close