Given a scenario where an outgoing call is placed from Asterisk to a remote SIP server it is possible for a crash to occur. The code responsible for negotiating SDP in SIP responses incorrectly assumes that SDP negotiation will always be successful. If a SIP response containing an SDP that can not be negotiated is received a subsequent SDP negotiation on the same call can cause a crash.
a598689c226c0f0b2be7c0f2f5f641be7af78caf65f348109e0446002e06d18f
Asterisk Project Security Advisory - A remotely exploitable crash vulnerability exists in the SIP channel driver if a SIP UPDATE request is processed within a particular window of time.
2f5947f61b2053c1b2b1488965d4ff29d455c8f4c71b6f1e91940a3f62d70d5f
Asterisk Project Security Advisory - In the Skinny channel driver, KEYPAD_BUTTON_MESSAGE events are queued for processing in a buffer allocated on the heap, where each DTMF value that is received is placed on the end of the buffer. Since the length of the buffer is never checked, an attacker could send sufficient KEYPAD_BUTTON_MESSAGE events such that the buffer is overrun.
135fdb3c4091f47c3bd1cc61841154a28cbda243b8fb16a579ebff1ce30c23ef
Asterisk Project Security Advisory - A user of the Asterisk Manager Interface can bypass a security check and execute shell commands when they lack permission to do so. Under normal conditions, a user should only be able to run shell commands if that user has System class authorization. Users could bypass this restriction by using the MixMonitor application with the originate action or by using either the GetVar or Status manager actions in combination with the SHELL and EVAL functions. The patch adds checks in each affected action to verify if a user has System class authorization. If the user does not have those authorizations, Asterisk rejects the action if it detects the use of any functions or applications that run system commands.
98ea67fda37608ee4b744ee6c51c819b2fd3cdd1838c33bc4c08c48b26462701
Asterisk Project Security Advisory - An attacker attempting to connect to an HTTP session of the Asterisk Manager Interface can send an arbitrarily long string value for HTTP Digest Authentication. This causes a stack buffer overflow, with the possibility of remote code injection.
e2f289b1d1ccc150638cf55526ad03a0ade669586f6824d9491acd1c5b1f3e05
Asterisk Project Security Advisory - Asterisk suffers from an exploitable stack buffer overflow with locally defined data.
afe6cdb34e7dea854787ea6f21b9eaf0bb2776d9c897bab9bde9b63eb1091487
Asterisk Project Security Advisory - It is possible to enumerate SIP usernames when the general and user/peer NAT settings differ in whether to respond to the port a request is sent from or the port listed for responses in the Via header. In 1.4 and 1.6.2, this would mean if one setting was nat=yes or nat=route and the other was either nat=no or nat=never. In 1.8 and 10, this would mean when one was nat=force_rport or nat=yes and the other was nat=no or nat=comedia.
dde4d639d451106635a87c7b3b2c41c2b6129d36252423186294aad787478c61
Asterisk Project Security Advisory - Asterisk suffers from a denial of service vulnerability. When the "automon" feature is enabled in features.conf, it is possible to send a sequence of SIP requests that cause Asterisk to dereference a NULL pointer and crash.
764385423a3949867f23f34eab90bf1bd82d2c863303fda2cdc21b2469443b1c
Asterisk Project Security Advisory - The SIP channel driver allows a remote authenticated user that ability to cause a crash with a malformed request due to an uninitialized variable.
b509eac1a7bd80f502154119179b97cc5f8a658de84afa82695934841ff6a9f2
Asterisk Project Security Advisory - Asterisk may respond differently to SIP requests from an invalid SIP user than it does to a user configured on the system, even when the alwaysauthreject option is set in the configuration. This can leak information about what SIP users are valid on the Asterisk system.
5b60a5f0651dd793f221422ae84407ad379322998ba39d3b47a0a855e825710d
Asterisk Project Security Advisory - If a remote user initiates a SIP call and the recipient picks up, the remote user can reply with a malformed Contact header that Asterisk will improperly handle and cause a crash due to a segmentation fault.
c571c19d564846b6e1ecb5b41d7e710e95aaede9cc69e13f64613da97587d97d
Asterisk Project Security Advisory - It is possible for a user of the Asterisk Manager Interface to bypass a security check and execute shell commands when they should not have that ability. Sending the "Async" header with the "Application" header during an Originate action, allows authenticated manager users to execute shell commands. Only users with the "system" privilege should be able to do this.
31ede85ee7d0cff21021d4dd6f89dfc438a48a6a387fbe72033246f6071a6e17
Asterisk Project Security Advisory - On systems that have the Asterisk Manager Interface, Skinny, SIP over TCP, or the built in HTTP server enabled, it is possible for an attacker to open as many connections to asterisk as he wishes. This will cause Asterisk to run out of available file descriptors and stop processing any new calls. Additionally, disk space can be exhausted as Asterisk logs failures to open new file descriptors.
471ce01d238810bef4b672c13bed60968aa25283433c449bf7c0a05b6b29d2ae
Asterisk Project Security Advisory - The Asterisk TCP/TLS server suffers from a denial of service vulnerability. Versions 1.6.1.x, 1.6.2.x, and 1.8.x are all affected.
42a118e4489814c5c7daf24ff15ffb8353da113d792cafa89fca1e91546ce0d5
Asterisk Project Security Advisory - The Asterisk Manager Interface suffers from a denial of service vulnerability. Versions 1.6.1.x, 1.6.2.x, and 1.8.x are all affected.
7b52fcf7d91688180fe75c1cbbd43b18bd7fd00850636319d9f26ecd4c9416b7
Asterisk Project Security Advisory - When decoding UDPTL packets, multiple stack and heap based arrays can be made to overflow by specially crafted packets. Systems doing T.38 pass through or termination are vulnerable.
9b947dd4fce8b8d4d6dc7c6bc47a02bc75f6c9d8097ebaa822eda51e67ad2705
Asterisk Project Security Advisory - When forming an outgoing SIP request while in pedantic mode, a stack buffer can be made to overflow if supplied with carefully crafted caller ID information. This vulnerability also affects the URIENCODE dialplan function and in some versions of asterisk, the AGI dialplan application as well. The ast_uri_encode function does not properly respect the size of its output buffer and can write past the end of it when encoding URIs.
caddb62e55ea8e3118ad497b8c0c7b872b631262ea738692d4e6d87bdccb05d9
Asterisk Project Security Advisory - Host access rules using permit= and deny= configurations behave unpredictably if the CIDR notation /0 is used. Depending on the system's behavior, this may act as desired, but in other cases it might not, thereby allowing access from hosts that should be denied.
1b93b33da3d5184c379547d81b5050d83dfdbc328a9e859576be03060c04eeb1
Asterisk Project Security Advisory - A common usage of the ${EXTEN} channel variable in a dialplan with wildcard pattern matches can lead to a possible string injection vulnerability. By having a wildcard match in a dialplan, it is possible to allow unintended calls to be executed.
6df03db49a5dc8aa44b7bba96539f3b628e043d7efe241ee610ebdeb0bc96e1b
Asterisk Project Security Advisory - An attacker attempting to negotiate T.38 over SIP can remotely crash Asterisk by modifying the FaxMaxDatagram field of the SDP to contain either a negative or exceptionally large value. The same crash occurs when the FaxMaxDatagram field is omitted from the SDP as well.
e389de5a471316312db8c85329ef64fc51d31e57f6900226fbee9f94d1d8b6de
Asterisk Project Security Advisory - An attacker sending a valid RTP comfort noise payload containing a data length of 24 bytes or greater can remotely crash Asterisk.
36b56a28380039e2532e434853000794f007a636a0fa262cd6df0be8b4ee65e2
Asterisk Project Security Advisory - Asterisk includes a demonstration AJAX based manager interface, ajamdemo.html which uses the prototype.js framework. An issue was uncovered in this framework which could allow someone to execute a cross-site AJAX request exploit.
e86a0ecb6a897bcb9f1220e85d46af735a82bc2ef2a6208e6cc14a3c6f4996dd
Asterisk Project Security Advisory - It is possible to determine if a peer with a specific name is configured in Asterisk by sending a specially crafted REGISTER message twice. The username that is to be checked is put in the user portion of the URI in the To header. A bogus non-matching value is put into the username portion of the Digest in the Authorization header. If the peer does exist the second REGISTER will receive a response of "403 Authentication user name does not match account name". If the peer does not exist the response will be "404 Not Found" if alwaysauthreject is disabled and "401 Unauthorized" if alwaysauthreject is enabled.
3634bc8c6b1fcdae106d21b04636f67125dbeb10fda75b29b1244e3e1cd34bf0
Asterisk Project Security Advisory - A missing ACL check for handling SIP INVITEs allows a device to make calls on networks intended to be prohibited as defined by the "deny" and "permit" lines in sip.conf. The ACL check for handling SIP registrations was not affected.
a028170ecb278eb6b1813a2f959521f86bee010953bfc98dd29af7dda75eda1c
Asterisk Project Security Advisory - The IAX2 protocol uses a call number to associate messages with the call that they belong to. However, the protocol defines the call number field in messages as a fixed size 15 bit field. So, if all call numbers are in use, no additional sessions can be handled. A call number gets created at the start of an IAX2 message exchange. So, an attacker can send a large number of messages and consume the call number space. The attack is also possible using spoofed source IP addresses as no handshake is required before a call number is assigned.
b9b863efb0b85644076d3c974b98ce74f39e463464e8e6c41b443200a78dd088
Asterisk Project Security Advisory - On certain implementations of libc, the scanf family of functions uses an unbounded amount of stack memory to repeatedly allocate string buffers prior to conversion to the target type. Coupled with Asterisk's allocation of thread stack sizes that are smaller than the default, an attacker may exhaust stack memory in the SIP stack network thread by presenting excessively long numeric strings in various fields.
b1dc46b65ba0899d179d5df802c216ac411cd9b7c37c701cd854541313c4d1e2