Asterisk Project Security Advisory - AST-2013-004 Product Asterisk Summary Remote Crash From Late Arriving SIP ACK With SDP Nature of Advisory Remote Crash Susceptibility Remote Unauthenticated Sessions Severity Major Exploits Known None Reported On February 11, 2013 Reported By Colin Cuthbertson Posted On August 27, 2013 Last Updated On August 27, 2013 Advisory Contact Joshua Colp CVE Name Pending Description A remotely exploitable crash vulnerability exists in the SIP channel driver if an ACK with SDP is received after the channel has been terminated. The handling code incorrectly assumes that the channel will always be present. Resolution A check has now been added which only parses SDP and applies it if an Asterisk channel is present. Note that Walter Doekes, OSSO B.V., is responsible for diagnosing and providing the fix for this issue. Affected Versions Product Release Series Asterisk Open Source 1.8.x 1.8.17.0 and above Asterisk Open Source 11.x All versions Certified Asterisk 1.8.15 All versions Certified Asterisk 11.2 All versions Corrected In Product Release Asterisk Open Source 1.8.23.1, 11.5.1 Certified Asterisk 1.8.15-cert3, 11.2-cert2 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2013-004-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2013-004-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2013-004-1.8.15-cert.diff Certified Asterisk 1.8.15 http://downloads.asterisk.org/pub/security/AST-2013-004-11.2-cert.diff Certified Asterisk 11.1 Links https://issues.asterisk.org/jira/browse/ASTERISK-21064 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2013-004.pdf and http://downloads.digium.com/pub/security/AST-2013-004.html Revision History Date Editor Revisions Made 2013-08-22 Joshua Colp Initial revision. Asterisk Project Security Advisory - AST-2013-004 Copyright (c) 2013 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.