Asterisk Project Security Advisory - AST-2014-008 Product Asterisk Summary Denial of Service in PJSIP Channel Driver Subscriptions Nature of Advisory Denial of Service Susceptibility Remote authenticated sessions Severity Moderate Exploits Known No Reported On 28 May, 2014 Reported By Mark Michelson Posted On June 12, 2014 Last Updated On June 12, 2014 Advisory Contact Mark Michelson CVE Name CVE-2014-4048 Description When a SIP transaction timeout caused a subscription to be terminated, the action taken by Asterisk was guaranteed to deadlock the thread on which SIP requests are serviced. Note that this behavior could only happen on established subscriptions, meaning that this could only be exploited if an attacker bypassed authentication and successfully subscribed to a real resource on the Asterisk server. Resolution The socket-servicing thread is now no longer capable of dispatching synchronous tasks to other threads since that may result in deadlocks. Affected Versions Product Release Series Asterisk Open Source 12.x All versions Corrected In Product Release Asterisk Open Source 12.3.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-008-12.diff Asterisk 12 Links https://issues.asterisk.org/jira/browse/ASTERISK-23802 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2014-008.pdf and http://downloads.digium.com/pub/security/AST-2014-008.html Revision History Date Editor Revisions Made June 6, 2014 Mark Michelson Document Creation June 12, 2014 Matt Jordan Added CVE Asterisk Project Security Advisory - AST-2014-008 Copyright (c) 2014 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.