Date: 20 December 2011
References: ESB-2011.1268
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.1231.2
Two Asterisk vulnerabilities found and patched
20 December 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Asterisk
Publisher: Asterisk
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2011-4598 CVE-2011-4597
Reference: ESB-2011.1268
Original Bulletin:
http://downloads.asterisk.org/pub/security/AST-2011-013.pdf
http://downloads.asterisk.org/pub/security/AST-2011-014.pdf
Comment: This bulletin contains two (2) Asterisk security advisories.
Revision History: December 20 2011: CVE numbers have been assigned
December 12 2011: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Asterisk Project Security Advisory - AST-2011-013
Product Asterisk
Summary Possible remote enumeration of SIP endpoints with
differing NAT settings
Nature of Advisory Unauthorized data disclosure
Susceptibility Remote unauthenticated sessions
Severity Minor
Exploits Known Yes
Reported On 2011-07-18
Reported By Ben Williams
Posted On
Last Updated On December 7, 2011
Advisory Contact Terry Wilson <twilson@digium.com>
CVE Name
Description It is possible to enumerate SIP usernames when the general
and user/peer NAT settings differ in whether to respond to
the port a request is sent from or the port listed for
responses in the Via header. In 1.4 and 1.6.2, this would
mean if one setting was nat=yes or nat=route and the other
was either nat=no or nat=never. In 1.8 and 10, this would
mean when one was nat=force_rport or nat=yes and the other
was nat=no or nat=comedia.
Resolution Handling NAT for SIP over UDP requires the differing
behavior introduced by these options.
To lessen the frequency of unintended username disclosure,
the default NAT setting was changed to always respond to the
port from which we received the request-the most commonly
used option.
Warnings were added on startup to inform administrators of
the risks of having a SIP peer configured with a different
setting than that of the general setting. The documentation
now strongly suggests that peers are no longer configured
for NAT individually, but through the global setting in the
"general" context.
Affected Versions
Product Release Series
Asterisk Open Source All All versions
Corrected In
As this is more of an issue with SIP over UDP in general, there is no
fix supplied other than documentation on how to avoid the problem. The
default NAT setting has been changed to what we believe the most
commonly used setting for the respective version in Asterisk 1.4.43,
1.6.2.21, and 1.8.7.2.
Links
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2011-013.pdf and
http://downloads.digium.com/pub/security/AST-2011-013.html
Revision History
Date Editor Revisions Made
Asterisk Project Security Advisory - AST-2011-013
Copyright (c) 2011 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
- ------------------------------------------------------------------------------
Asterisk Project Security Advisory - AST-2011-014
Product Asterisk
Summary Remote crash possibility with SIP and the "automon"
feature enabled
Nature of Advisory Remote crash vulnerability in a feature that is
disabled by default
Susceptibility Remote unauthenticated sessions
Severity Moderate
Exploits Known Yes
Reported On November 2, 2011
Reported By Kristijan Vrban
Posted On 2011-11-03
Last Updated On December 7, 2011
Advisory Contact Terry Wilson <twilson@digium.com>
CVE Name
Description When the "automon" feature is enabled in features.conf, it
is possible to send a sequence of SIP requests that cause
Asterisk to dereference a NULL pointer and crash.
Resolution Applying the referenced patches that check that the pointer
is not NULL before accessing it will resolve the issue. The
"automon" feature can be disabled in features.conf as a
workaround.
Affected Versions
Product Release Series
Asterisk Open Source 1.6.2.x All versions
Asterisk Open Source 1.8.x All versions
Corrected In
Product Release
Asterisk Open Source 1.6.2.21, 1.8.7.2
Patches
Download URL Revision
http://downloads.asterisk.org/pub/security/AST-2011-014-1.6.2.diff 1.6.2.20
http://downloads.asterisk.org/pub/security/AST-2011-014-1.8.diff 1.8.7.1
Links
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2011-014.pdf and
http://downloads.digium.com/pub/security/AST-2011-014.html
Revision History
Date Editor Revisions Made
Asterisk Project Security Advisory - AST-2011-014
Copyright (c) 2011 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTu/fme4yVqjM2NGpAQLUgQ//ZPbp4TZ//L7HARV/z+otGnFB5GR/Pw6h
uWpvjyJuDn706G3ahjTf8S+VBjPF3qqEEBjR7b1PBipp4efFHYsGKZk/V78kQqU9
Yz1Fv1wxenyc8W5FRTCMKF6yVrI9eWz3KDyLkpWAmSg7tUTqchHYq+UORqairlmx
+BmquslzCphh4RK9ok2mbyHp9Gs3sR3VLhUkk1Cq/oMFyWpKK0hXP7dPWxDPUIC7
g5dyFij1js1uV5kzzWdj97WMUtHp6slG97Iq/Pm5B8XjySwLO1BAaVO3/mW2VVVU
CN1WeG/rS1HVqQEdoF1oQLF799acxlyoetilCC3i3AkVO3M8iO/Y60EFc7TymOA6
ifEZQ0uYVzqR8KcdiPa93Sh0+68ZijdxeQCY5v/dA/mWE+alUanC2DQimlBooKyI
+26YtVIs2lhOumj4CYdSFS2BcV1oopYNz+rVFBRpGu76rYM0VanCeMLetaoBxyjj
6KGUplwTvH6tJSvZBZLcDq8eFAb2pzkEaqaOLQkX/6iCeruuDz8fk5SVQ3DnlK3M
7BrlrKfp2HfRwegyqlUKzFZMBAyRoy5EFqFIOktEDGhkEqKctFKxubG32cuzmqMk
9kMFGCf4tayo1VfqzOJ20t+mdKS/b0wcXMMYIc0mMeIb/6LKBIyaQvvs/Xke2mN7
H/8GBCa/6vQ=
=afJr
-----END PGP SIGNATURE-----
|