Given a scenario where an outgoing call is placed from Asterisk to a remote SIP server it is possible for a crash to occur. The code responsible for negotiating SDP in SIP responses incorrectly assumes that SDP negotiation will always be successful. If a SIP response containing an SDP that can not be negotiated is received a subsequent SDP negotiation on the same call can cause a crash.
a598689c226c0f0b2be7c0f2f5f641be7af78caf65f348109e0446002e06d18f
Asterisk Project Security Advisory - A remote crash can be triggered by sending a SIP packet to Asterisk with a specially crafted CSeq header and a Via header with no branch parameter. The issue is that the PJSIP RFC 2543 transaction key generation algorithm does not allocate a large enough buffer. By overrunning the buffer, the memory allocation table becomes corrupted, leading to an eventual crash.
60ef218a0c056d6aec0776e903fa217b0958d9a103decc2e014f49f5d98412d9
Asterisk Project Security Advisory - No size checking is done when setting the user field on a CDR. Thus, it is possible for someone to use an arbitrarily large string and write past the end of the user field storage buffer. This allows the possibility of remote code injection.
4f394dc143a808e8b1929549291dac026ba69e8dc9fd92c43b3dff47220e1290
Asterisk Project Security Advisory - If an SDP offer or answer is received with the Opus codec and with the format parameters separated using a space the code responsible for parsing will recursively call itself until it crashes. This occurs as the code does not properly handle spaces separating the parameters. This does NOT require the endpoint to have Opus configured in Asterisk. This also does not require the endpoint to be authenticated. If guest is enabled for chan_sip or anonymous in chan_pjsip an SDP offer or answer is still processed and the crash occurs.
2a073eeba4b82f770c34c9371cc94f0c63cbd409c8022691691eeb71c498ae9d
Asterisk Project Security Advisory - The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace.
09dc558d0dc500657f84397b2183696f7dff962f91ac1d27039bfe9a9157f5a9
Asterisk Project Security Advisory - On September 8, the Asterisk development team released the AST-2016-007 security advisory. The security advisory involved an RTP resource exhaustion that could be targeted due to a flaw in the "allowoverlap" option of chan_sip. Due to new information presented to the Asterisk team by Walter Doekes, they have made updates to the advisory.
570e74e1a02b9da9c957b15a54db607f1a0d2d9692d3bdfc29f57249f8d22599
Asterisk Project Security Advisory - The overlap dialing feature in chan_sip allows chan_sip to report to a device that the number that has been dialed is incomplete and more digits are required. If this functionality is used with a device that has performed username/password authentication RTP resources are leaked. This occurs because the code fails to release the old RTP resources before allocating new ones in this scenario. If all resources are used then RTP port exhaustion will occur and no RTP sessions are able to be set up.
97fcad4b2cc395997d99694e3df652f77ddb75c1bf9f3258efb47206a678a1c1
Asterisk Project Security Advisory - Asterisk can be crashed remotely by sending an ACK to it from an endpoint username that Asterisk does not recognize. Most SIP request types result in an "artificial" endpoint being looked up, but ACKs bypass this lookup. The resulting NULL pointer results in a crash when attempting to determine if ACLs should be applied. This issue was introduced in the Asterisk 13.10 release and only affects that release.
4fed701bc3c34b63cb35edd8fe1f32e85f372f14481d360d07df779759acb717
Asterisk Project Security Advisory - PJProject has a limit on the number of TCP connections that it can accept. Furthermore, PJProject does not close TCP connections it accepts. By default, this value is approximately 60. An attacker can deplete the number of allowed TCP connections by opening TCP connections and sending no data to Asterisk. If PJProject has been compiled in debug mode, then once the number of allowed TCP connections has been depleted, the next attempted TCP connection to Asterisk will crash due to an assertion in PJProject. If PJProject has not been compiled in debug mode, then any further TCP connection attempts will be rejected. This makes Asterisk unable to process TCP SIP traffic. Note that this only affects TCP/TLS, since UDP is connectionless. Also note that this does not affect chan_sip.
122646434ef3ffdbf4f736e5ba7648af84f7dff43cfe57162960b91becc450fd
Asterisk Project Security Advisory - Asterisk may crash when processing an incoming REGISTER request if that REGISTER contains a Contact header with a lengthy URI. This crash will only happen for requests that pass authentication. Unauthenticated REGISTER requests will not result in a crash occurring. This vulnerability only affects Asterisk when using PJSIP as its SIP stack. The chan_sip module does not have this problem.
afafbceea5744913691ffdaa1e188cde546064b48141faa603d4ecb51464d088
Asterisk Project Security Advisory - If no UDPTL packets are lost there is no problem. However, a lost packet causes Asterisk to use the available error correcting redundancy packets. If those redundancy packets have zero length then Asterisk uses an uninitialized buffer pointer and length value which can cause invalid memory accesses later when the packet is copied.
d61d75b2607cad2c038cf03c5bb97339a5ed2401ece282ee0a7010c19c84efbf
Asterisk Project Security Advisory - Setting the sip.conf timert1 value to a value higher than 1245 can cause an integer overflow and result in large retransmit timeout times. These large timeout values hold system file descriptors hostage and can cause the system to run out of file descriptors.
c3a9d55b8722a6698270f1449a33fc8ad65f440df0576b6607a8cd998bdbc47e
Asterisk Project Security Advisory - The Asterisk HTTP server currently has a default configuration which allows the BEAST vulnerability to be exploited if the TLS functionality is enabled. This can allow a man-in-the-middle attack to decrypt data passing through it.
6c3e6ff53bbb942a49afc289970e7d998f9f519da49bdeaeadd6a6a039422b8e
Asterisk Project Security Advisory - When Asterisk registers to a SIP TLS device and and verifies the server, Asterisk will accept signed certificates that match a common name other than the one Asterisk is expecting if the signed certificate has a common name containing a null byte after the portion of the common name that Asterisk expected.
b08ef4b3d0f8ba0061a7cd3e5a8e37967a3286590dcc31a21c17c24ecb06371e
Asterisk Project Security Advisory - CVE-2014-8150 reported an HTTP request injection vulnerability in libcURL. Asterisk uses libcURL in its func_curl.so module (the CURL() dialplan function), as well as its res_config_curl.so (cURL realtime backend) modules. Since Asterisk may be configured to allow for user-supplied URLs to be passed to libcURL, it is possible that an attacker could use Asterisk as an attack vector to inject unauthorized HTTP requests if the version of libcURL installed on the Asterisk server is affected by CVE-2014-8150.
29b34a38aceb27270a9742ce1a2328d92a59cc3a2103a91b0fcb2d89ef89580a
Asterisk Project Security Advisory - Asterisk may be configured to only allow specific audio or video codecs to be used when communicating with a particular endpoint. When an endpoint sends an SDP offer that only lists codecs not allowed by Asterisk, the offer is rejected. However, in this case, RTP ports that are allocated in the process are not reclaimed. This issue only affects the PJSIP channel driver in Asterisk. Users of the chan_sip channel driver are not affected. As the resources are allocated after authentication, this issue only affects communications with authenticated endpoints.
e9d6055114e8feed6c629f9b504bd51b2f5d85998f7eb3481512d7fdd54bfc05
Asterisk Project Security Advisory - When handling a WebSocket frame the res_http_websocket module dynamically changes the size of the memory used to allow the provided payload to fit. If a payload length of zero was received the code would incorrectly attempt to resize to zero. This operation would succeed and end up freeing the memory but be treated as a failure. When the session was subsequently torn down this memory would get freed yet again causing a crash. Users of the WebSocket functionality also did not take into account that provided text frames are not guaranteed to be NULL terminated. This has been fixed in chan_sip and chan_pjsip in the applicable versions.
1868539f0faf6bdd956adbc2ca0137de48c00afcc3285083d11a021aa2b17658
Asterisk Project Security Advisory - The DB dialplan function when executed from an external protocol (for instance AMI), could result in a privilege escalation.
5f6de459bd80960c973e40d53339c46b02b67d9db5559130f299530051f16340
Asterisk Project Security Advisory - The CONFBRIDGE dialplan function when executed from an external protocol (for instance AMI), could result in a privilege escalation. Also, the AMI action "ConfbridgeStartRecord" could also be used to execute arbitrary system commands without first checking for system access.
eebc8eabd10dc9e3b8bc9523e239a9374c0d69bf823e68db757ae0b2b1368d33
Asterisk Project Security Advisory - When handling an INVITE with Replaces message the res_pjsip_refer module incorrectly assumes that it will be operating on a channel that has just been created. If the INVITE with Replaces message is sent in-dialog after a session has been established this assumption will be incorrect. The res_pjsip_refer module will then hang up a channel that is actually owned by another thread. When this other thread attempts to use the just hung up channel it will end up using freed channel which will likely cause a crash.
15a4222dbf1ccd2736fba02c722a20bb0de7e9d45367175f41e820c972765349
Asterisk Project Security Advisory - The chan_pjsip channel driver uses a queue approach for actions relating to SIP sessions. There exists a race condition where actions may be queued to answer a session or send ringing AFTER a SIP session has been terminated using a CANCEL request. The code will incorrectly assume that the SIP session is still active and attempt to send the SIP response. The PJSIP library does not expect the SIP session to be in the disconnected state when sending the response and asserts.
55c0f051137922494f6ce7feebfbe8e1ea4b9b2169a67c126fdff6d43bda124a
Asterisk Project Security Advisory - The ConfBridge application uses an internal bridging API to implement conference bridges. This internal API uses a state model for channels within the conference bridge and transitions between states as different things occur. Under load it is possible for some state transitions to be delayed causing the channel to transition from being hung up to waiting for media. As the channel has been hung up remotely no further media will arrive and the channel will stay within ConfBridge indefinitely.
84eb5f3fb7ddc9a0f5ee17c933a15f1ce01cc2ecc88d2c7325407f4bef03640b
Asterisk Project Security Advisory - The Asterisk module res_pjsip_acl provides the ability to configure ACLs that may be used to reject SIP requests from various hosts. In affected versions of Asterisk, this module fails to create and apply ACLs defined in pjsip.conf. This may be worked around by reloading res_pjsip manually after res_pjsip_acl is loaded.
b3b03fb6b4fdfbb86b064255aefc3988d26b8846fa6491e95caf916c96308e46
Asterisk Project Security Advisory - Many modules in Asterisk that service incoming IP traffic have ACL options ("permit" and "deny") that can be used to whitelist or blacklist address ranges. A bug has been discovered where the address family of incoming packets is only compared to the IP address family of the first entry in the list of access control rules. If the source IP address for an incoming packet is not of the same address family as the first ACL entry, that packet bypasses all ACL rules. For ACLs whose rules are all of the same address family, there is no issue.
d63dbc1f4a1555e213fdaf8b7170df0e1ef4f9f7d5de91107a8f9832f1027a68
Asterisk Project Security Advisory - Asterisk suffered from the SSL POODLE vulnerability.
f3393b5e599a0d63b52314b6cb1f7808ffb0f59894dcb498c686d60e147cb6d3
Asterisk Project Security Advisory - When an out of call message - delivered by either the SIP or PJSIP channel driver or the XMPP stack - is handled in Asterisk, a crash can occur if the channel servicing the message is sent into the ReceiveFax dialplan application while using the res_fax_spandsp module. Note that this crash does not occur when using the res_fax_digium module. While this crash technically occurs due to a configuration issue, as attempting to receive a fax from a channel driver that only contains textual information will never succeed, the likelihood of having it occur is sufficiently high as to warrant this advisory.
83253f08b336ac5b6aac9462d511a7478d879722c5b915b26d3b93cf9082d978