Operating System:

[UNIX/Linux]

Published:

02 December 2022

Protect yourself against future threats.

//Service

Early Warning SMS

Receive SMS notifications for the most critical security threats and vulnerabilities.

Read more
Resources > Security Bulletins > ESB-2022.6288 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.6288
             Asterisk Project Security Advisory - AST-2022-008
                              2 December 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Asterisk Open Source
                   Certified Asterisk
Publisher:         Asterisk
Operating System:  UNIX variants (UNIX, Linux, OSX)
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-42705  

Original Bulletin: 
   http://downloads.asterisk.org/pub/security/AST-2022-008.html

Comment: CVSS (Max):  None available when published

- --------------------------BEGIN INCLUDED TEXT--------------------

Asterisk Project Security Advisory    AST-2022-008

Product            Asterisk

Summary            Use after free in res_pjsip_pubsub.c

Nature of Advisory Denial of Service

Susceptibility     Remote Authenticated Sessions

Severity           Minor

Exploits Known     No

Reported On        September 23, 2022

Reported By        Nappsoft

Posted On

Last Updated On    November 29, 2022

Advisory Contact   g joseph AT sangoma DOT com

CVE Name           CVE-2022-42705



Description       Use after free in res_pjsip_pubsub.c may allow a remote authenticated
                  attacker to crash Asterisk (denial of service) by performing activity on a
                  subscription via a reliable transport at the same time Asterisk is also
                  performing activty on that subscription.

Modules Affected  res_pjsip_pubsub.c, res_pjsip_outbound_registration.c,
                  pjsip_transport_events.c


Resolution        Modules have been updated to ensure concurrent activity is properly serialized
                  to prevent the use-after-free.


Affected Versions

Product                  Release Series

Asterisk Open Source            16.x      All Versions

Asterisk Open Source            18.x      All Versions

Asterisk Open Source            19.x      All Versions

Asterisk Open Source            20.x      All Versions

Certified Asterisk              18.9      All Versions


Corrected In

Product                         Release

Asterisk Open Source            6.29.1

Asterisk Open Source            18.15.1

Asterisk Open Source            19.7.1

Asterisk Open Source            20.0.1

Certified Asterisk              18.9-cert3


Patches

Patch URL                                           Revision

https://downloads.digium.com/pub/security/          Asterisk 16
AST-2022-008 -16.diff

https://downloads.digium.com/pub/security/          Asterisk 18
AST-2022-008 -18.diff

https://downloads.digium.com/pub/security/          Asterisk 19
AST-2022-008 -19.diff

https://downloads.digium.com/pub/security/          Asterisk 20
AST-2022-008 -20.diff

https://downloads.digium.com/pub/security/          Certified Asterisk 18.9
AST-2022-008 -18.9.diff



Links          https://issues.asterisk.org/jira/browse/ASTERISK-30244

               https://downloads.asterisk.org/pub/security/ AST-2022-008 .html


Asterisk Project Security Advisories are posted at https://www.asterisk.org/
security

This document may be superseded by later versions; if so, the latest version
will be posted at https://downloads.digium.com/pub/security/ AST-2022-008 .pdf 
and https://downloads.digium.com/pub/security/ AST-2022-008 .html


Revision History

Date                 Editor                     Revisions Made

November 29, 2022    George Joseph              Initial Revision


              Asterisk Project Security Advisory    AST-2022-008
       Copyright (C) 2022 Sangoma Technologies , Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBY4l9f8kNZI30y1K9AQjxyg/+IwZwUH0RUchINGf06jSas2M5MDSTKclM
wCvDDR7zfTchFUAUKel+tz9scx16pBjSP9z89ThgT4k0JFk9dAcwS+T9S5RTdcKI
dlXWPLc+2wCOs7aDiUkxoV5KZMiQvldgxgIx0roXGzPa9DgXewBNz1xwRD/Btt6/
zxIbU5yJm1Pr4E0yABcZmOg53LVEIpK10gvtcd8u/wUkJnyXbVMVBKV24Ld5zFLp
noRZepaSFAKxy/PonbpUIXOlAsUhkOaLs8K1IUIoS3T8oJE8a/KIEQD4uWgf1/pP
9k2IZUHS+7/4Yqq93EXxyXdSMjSA2r2wsDxNJVYktdINS7iiEmkTIuEMkT9SZb0/
e0Uz466G+PjeOCKoeIfR8NVf4NJkBr2x2OlJP1CqQiqTDpese/9+x8/AMNWc1trT
Ddv19/3BWQT2n68gu2VaYobj68v85TwpFca9aB0/fmwriAShPCDxybNNpjTkejJb
7YfAPFduEKeM5vYdySxSfAWA3m9YhH0PSgHfmhVEh6rEXFtqwdZeFXSidsbc7RCQ
c8sDyVflQ2RgCgbV0uMRmv4woFEMBO3SUUmperu0g0g3OAu0CaqjcmysFE9pZLdQ
FbaiQfW7bYMUCdkGQwgL2GfZATuVAj/J2WYqD72ryi3ERYdvMjokuQgOXltv4GtS
DA5niuMogF4=
=r6YY
-----END PGP SIGNATURE-----