Asterisk Project Security Advisory - When audio frames are given to the audio transcoding support in Asterisk the number of samples are examined and as part of this a message is output to indicate that no samples are present. A change was done to suppress this message for a particular scenario in which the message was not relevant. This change assumed that information about the origin of a frame will always exist when in reality it may not. This issue presented itself when an RTP packet containing no audio (and thus no samples) was received. In a particular transcoding scenario this audio frame would get turned into a frame with no origin information. If this new frame was then given to the audio transcoding support a crash would occur as no samples and no origin information would be present.
f099af7f927bb32ebabc2ad896ed9ecc6426a574a8666725577cefa49658c9c4Asterisk Project Security Advisory - External control protocols, such as the Asterisk Manager Interface, often have the ability to get and set channel variables; this allows the execution of dial-plan functions. Dial-plan functions within Asterisk are incredibly powerful, which is wonderful for building applications using Asterisk. But during the read or write execution, certain dial-plan functions do much more. For example, reading the SHELL() function can execute arbitrary commands on the system Asterisk is running on. Writing to the FILE() function can change any file that Asterisk has write access to. When these functions are executed from an external protocol, that execution could result in a privilege escalation.
d023c90a325ba8f94bb3cf31d665ef950f78277c35b78413f1a2879e54fbf60bAsterisk Project Security Advisory - A 16 bit SMS message that contains an odd message length value will cause the message decoding loop to run forever. The message buffer is not on the stack but will be overflowed resulting in corrupted memory and an immediate crash.
23fd2d5df026467da642f085725b6e9512c5c434b3c52f73e2cef1b5fa54e190Asterisk Project Security Advisory - A remotely exploitable crash vulnerability exists in the SIP channel driver if an invalid SDP is sent in a SIP request that defines media descriptions before connection information. The handling code incorrectly attempts to reference the socket address information even though that information has not yet been set.
b1ea1870b8ffa92fa2b9399875bedbe661440f8f5a1a71aa38f9d130235ae5aeAsterisk Project Security Advisory - A remotely exploitable crash vulnerability exists in the SIP channel driver if an ACK with SDP is received after the channel has been terminated. The handling code incorrectly assumes that the channel will always be present.
7b5b33cd2756da3ffe8c64031b7e60cd9b0cbd4644f5ab8e89498500f2a141bcAsterisk Project Security Advisory - When authenticating via SIP with alwaysauthreject enabled, allowguest disabled, and autocreatepeer disabled, Asterisk discloses whether a user exists for INVITE, SUBSCRIBE, and REGISTER transactions in multiple ways.
7ce9d396f6a8843def45150840621abd66a61195ea9967e14e7c6392d62f7a27Asterisk Project Security Advisory - AST-2012-014, fixed in January of this year, contained a fix for Asterisk's HTTP server since it was susceptible to a remotely-triggered crash. The fix put in place fixed the possibility for the crash to be triggered, but a possible denial of service still exists if an attacker sends one or more HTTP POST requests with very large Content-Length values.
7a1b07b00aaec1a54c4a018a3363c0392f9374f44ef12df07d9140f78bd6c056Asterisk Project Security Advisory - The format attribute resource for h264 video performs an unsafe read against a media attribute when parsing the SDP. The vulnerable parameter can be received as strings of an arbitrary length and Asterisk attempts to read them into limited buffer spaces without applying a limit to the number of characters read. If a message is formed improperly, this could lead to an attacker being able to execute arbitrary code remotely.
6dbcc321fa05a34d90ae2594f9ee9d1f4e3a55fa0610c69189ee26ee7c7e8f70Asterisk Project Security Advisory - Asterisk maintains an internal cache for devices. The device state cache holds the state of each device known to Asterisk, such that consumers of device state information can query for the last known state for a particular device, even if it is not part of an active call. The concept of a device in Asterisk can include things that do not have a physical representation. One way that this currently occurs is when anonymous calls are allowed in Asterisk. A device is automatically created and stored in the cache for each anonymous call that occurs; this is possible in the SIP and IAX2 channel drivers and through channel drivers that utilize the res_jabber/res_xmpp resource modules (Gtalk, Jingle, and Motif). Attackers exploiting this vulnerability can attack an Asterisk system configured to allow anonymous calls by varying the source of the anonymous call, continually adding devices to the device state cache and consuming a system's resources.
773b7fb319c073a4c00909384b60645dea28da3fd585d83a3a36440ff0b98590Asterisk Project Security Advisory - Asterisk has several places where messages received over various network transports may be copied in a single stack allocation. In the case of TCP, since multiple packets in a stream may be concatenated together, this can lead to large allocations that overflow the stack. In the case of SIP, it is possible to do this before a session is established. Keep in mind that SIP over UDP is not affected by this vulnerability. With HTTP and XMPP, a session must first be established before the vulnerability may be exploited. The XMPP vulnerability exists both in the res_jabber.so module in Asterisk 1.8, 10, and 11 as well as the res_xmpp.so module in Asterisk 11.
0eda4a18f48435624a5845545ce7bded4867ce8731fbb4a94114a41619146e72Asterisk Project Security Advisory - When an IAX2 call is made using the credentials of a peer defined in a dynamic Asterisk Realtime Architecture (ARA) backend, the ACL rules for that peer are not applied to the call attempt. This allows for a remote attacker who is aware of a peer's credentials to bypass the ACL rules set for that peer.
1dbe89247fe8ae0e746deba8d087c0a2e8f0db2a220148bcfd8d8c829b97520cAsterisk Project Security Advisory - The AMI Originate action can allow a remote user to specify information that can be used to execute shell commands on the system hosting Asterisk. This can result in an unwanted escalation of permissions, as the Originate action, which requires the "originate" class authorization, can be used to perform actions that would typically require the "system" class authorization.
a16cf1c312b65d9b8b4ddd517f7fef1fb90fcf85094f853ed40ad6333d9fe808Asterisk Project Security Advisory - If a single voicemail account is manipulated by two parties simultaneously, a condition can occur where memory is freed twice causing a crash.
c4c29da204c724036feeafa9e5d1fe5e12c23b551ecfc323429909297800ebdaAsterisk Project Security Advisory - If Asterisk sends a re-invite and an endpoint responds to the re-invite with a provisional response but never sends a final response, then the SIP dialog structure is never freed and the RTP ports for the call are never released. If an attacker has the ability to place a call, they could create a denial of service by using all available RTP ports.
7393ac1f7dc8c09c81891ad81cc71a05d76badd9fadaf47998c0f0251965ab45Asterisk Project Security Advisory - AST-2012-008 previously dealt with a denial of service attack exploitable in the Skinny channel driver that occurred when certain messages are sent after a previously registered station sends an Off Hook message. Unresolved in that patch is an issue in the Asterisk 10 releases, wherein, if a Station Key Pad Button Message is processed after an Off Hook message, the channel driver will inappropriately dereference a Null pointer. Similar to AST-2012-008, a remote attacker with a valid SCCP ID can can use this vulnerability by closing a connection to the Asterisk server when a station is in the "Off Hook" call state and crash the server.
fd0d2c21399e574d3381cbf0d6fbf99a5bd73c0e0a594da8126262e1f90d0130Asterisk Project Security Advisory - A Null-pointer dereference has been identified in the SCCP (Skinny) channel driver of Asterisk. When an SCCP client closes its connection to the server, a pointer in a structure is set to Null. If the client was not in the on-hook state at the time the connection was closed, this pointer is later dereferenced. A remote attacker with a valid SCCP ID can can use this vulnerability by closing a connection to the Asterisk server in certain call states (e.g. "Off hook") to crash the server. Successful exploitation of this vulnerability would result in termination of the server, causing denial of service to legitimate users.
0ffad12f4ee7638c64029cbf2387da33862ed3926680288d1303b12b6023069eAsterisk Project Security Advisory - A remotely exploitable crash vulnerability exists in the IAX2 channel driver if an established call is placed on hold without a suggested music class.
58df312830538efb7064340b0ec5a2811f9dbc943e1ac2e4e461efa35a6bc391Asterisk Project Security Advisory - A remotely exploitable crash vulnerability exists in the SIP channel driver if a SIP UPDATE request is processed within a particular window of time.
2f5947f61b2053c1b2b1488965d4ff29d455c8f4c71b6f1e91940a3f62d70d5fAsterisk Project Security Advisory - In the Skinny channel driver, KEYPAD_BUTTON_MESSAGE events are queued for processing in a buffer allocated on the heap, where each DTMF value that is received is placed on the end of the buffer. Since the length of the buffer is never checked, an attacker could send sufficient KEYPAD_BUTTON_MESSAGE events such that the buffer is overrun.
135fdb3c4091f47c3bd1cc61841154a28cbda243b8fb16a579ebff1ce30c23efAsterisk Project Security Advisory - A user of the Asterisk Manager Interface can bypass a security check and execute shell commands when they lack permission to do so. Under normal conditions, a user should only be able to run shell commands if that user has System class authorization. Users could bypass this restriction by using the MixMonitor application with the originate action or by using either the GetVar or Status manager actions in combination with the SHELL and EVAL functions. The patch adds checks in each affected action to verify if a user has System class authorization. If the user does not have those authorizations, Asterisk rejects the action if it detects the use of any functions or applications that run system commands.
98ea67fda37608ee4b744ee6c51c819b2fd3cdd1838c33bc4c08c48b26462701Asterisk Project Security Advisory - An attacker attempting to connect to an HTTP session of the Asterisk Manager Interface can send an arbitrarily long string value for HTTP Digest Authentication. This causes a stack buffer overflow, with the possibility of remote code injection.
e2f289b1d1ccc150638cf55526ad03a0ade669586f6824d9491acd1c5b1f3e05Asterisk Project Security Advisory - Asterisk suffers from an exploitable stack buffer overflow with locally defined data.
afe6cdb34e7dea854787ea6f21b9eaf0bb2776d9c897bab9bde9b63eb1091487Asterisk Project Security Advisory - It is possible to enumerate SIP usernames when the general and user/peer NAT settings differ in whether to respond to the port a request is sent from or the port listed for responses in the Via header. In 1.4 and 1.6.2, this would mean if one setting was nat=yes or nat=route and the other was either nat=no or nat=never. In 1.8 and 10, this would mean when one was nat=force_rport or nat=yes and the other was nat=no or nat=comedia.
dde4d639d451106635a87c7b3b2c41c2b6129d36252423186294aad787478c61Asterisk Project Security Advisory - Asterisk suffers from a denial of service vulnerability. When the "automon" feature is enabled in features.conf, it is possible to send a sequence of SIP requests that cause Asterisk to dereference a NULL pointer and crash.
764385423a3949867f23f34eab90bf1bd82d2c863303fda2cdc21b2469443b1cAsterisk Project Security Advisory - The SIP channel driver allows a remote authenticated user that ability to cause a crash with a malformed request due to an uninitialized variable.
b509eac1a7bd80f502154119179b97cc5f8a658de84afa82695934841ff6a9f2Asterisk Project Security Advisory - Asterisk may respond differently to SIP requests from an invalid SIP user than it does to a user configured on the system, even when the alwaysauthreject option is set in the configuration. This can leak information about what SIP users are valid on the Asterisk system.
5b60a5f0651dd793f221422ae84407ad379322998ba39d3b47a0a855e825710d
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed