Date: 02 April 2013
References: ESB-2013.0019
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0459
Asterisk Project Security Advisory - AST-2013-002
2 April 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Asterisk Open Source
Certified Asterisk
Asterisk Digiumphones
Publisher: Digium
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-2686
Reference: ESB-2013.0019
Original Bulletin:
http://downloads.digium.com/pub/security/AST-2013-002.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Asterisk Project Security Advisory - AST-2013-002
Product Asterisk
Summary Denial of Service in HTTP server
Nature of Advisory Denial of Service
Susceptibility Remote Unauthenticated Sessions
Severity Major
Exploits Known None
Reported On January 21, 2013
Reported By Christoph Hebeisen, TELUS Security Labs
Posted On March 27, 2013
Last Updated On March 27, 2013
Advisory Contact Mark Michelson <mmichelson AT digium DOT com>
CVE Name CVE-2013-2686
Description AST-2012-014 [1], fixed in January of this year, contained a
fix for Asterisk's HTTP server since it was susceptible to a
remotely-triggered crash.
The fix put in place fixed the possibility for the crash to be
triggered, but a possible denial of service still exists if an
attacker sends one or more HTTP POST requests with very large
Content-Length values.
[1]
http://downloads.asterisk.org/pub/security/AST-2012-014.html
Resolution Content-Length is now capped at a maximum value of 1024
bytes. Any attempt to send an HTTP POST with content-length
greater than this cap will not result in any memory
allocated. The POST will be responded to with an HTTP 413
"Request Entity Too Large" response.
Affected Versions
Product Release Series
Asterisk Open Source 1.8.x 1.8.19.1, 1.8.20.0, 1.8.20.1
Asterisk Open Source 10.x 10.11.1, 10.12.0, 10.12.1
Asterisk Open Source 11.x 11.1.2, 11.2.0, 11.2.1
Certified Asterisk 1.8.15 1.8.15-cert1
Asterisk Digiumphones 10.x-digiumphones 10.11.1-digiumphones,
10.12.0-digiumphones,
10.12.1-digiumphones
Corrected In
Product Release
Asterisk Open Source 1.8.20.2, 10.12.2, 11.2.2
Certified Asterisk 1.8.15-cert2
Asterisk Digiumphones 10.12.2-digiumphones
Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2012-014-1.8.diff Asterisk
1.8
http://downloads.asterisk.org/pub/security/AST-2012-014-10.diff Asterisk
10
http://downloads.asterisk.org/pub/security/AST-2012-014-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2012-014-1.8.15-cert.diff Certified
Asterisk
1.8.15
+------------------------------------------------------------------------+
| Links | https://issues.asterisk.org/jira/browse/ASTERISK-20967 |
| | http://telussecuritylabs.com/threats/show/TSL20130327-01 |
+------------------------------------------------------------------------+
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2013-002.pdf and
http://downloads.digium.com/pub/security/AST-2013-002.html
Revision History
Date Editor Revisions Made
February 12, 2013 Mark Michelson Initial Draft
March 27, 2013 Matt Jordan Updated CVE
Asterisk Project Security Advisory - AST-2013-002
Copyright (c) 2013 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUVpFy+4yVqjM2NGpAQLz5A//ZQrxhQef9a0qdr72BbtfaA7uVPKgzNu7
4Tw+9DWiSEMFGuyhMmxB9/JfN3YPxpYreEKpYmqTxfnQg+uM1SxKebu/dfV6u98z
/qAHvKRrYWAurn9KVrgP/GXhA4HqCKUkTne7YmW33AiXhd49TlBcdbGEvnVx6Pd2
gWFYVzpKFkQIbBHs36bNPhONhMs6JXG58q7NBNfIINpdN4g390+Q5CTgCQ2pXfNJ
JEuZIkTzQd2Kd+n32NBYYyi4tuYlLmorxINqH68TS3bmdeXJYYZPWqA8p2jdc0Nv
d1QC0pT0Kkh/LxVetqD5OM1GdfR6DWRnXDCkgpgX1XFOKCHEpkG3SYcM4I7Ko/hJ
mdA13oXbzdkd8yisMOAsWjjZsFTZEORpvx3S/lC49n9Ck7PezHoJNqPHugwqykQD
+32zLmASEeEImZnDzbWl6S36PCtPfTrsuWd1Z079HnIxB69cZb90gNKR03go7Rk5
f+F97HNcecjvlRZOXiwOm8loGoYxoERIvzv4k+okVpJdubokWylF7lnESm3DmsYB
95lgfMY56i9lUxBI4ZdtbE9ag/QK8Vl4+F78PjmoKjLmAjK/8fFRWECeAQDnyVJ2
Kz3QNHHOs4N12l/cBJCgUfHni/9FqSdANys67wkIdibMRxrsR9jw+o0Fhm0Rp1hJ
8K52uGj4xqg=
=+X+L
-----END PGP SIGNATURE-----
|