ESB-2018.0586.2 - UPDATE [Win][UNIX/Linux] Asterisk: Denial of service - Existing account 2018-03-12

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.0586.2
                    Asterisk Project Security Advisory
                               12 March 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Asterisk
Publisher:         Digium
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Denial of Service -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1000099 CVE-2018-1000098 CVE-2018-7286
                   CVE-2018-7284  

Original Bulletin: 
   http://downloads.asterisk.org/pub/security/AST-2018-002.html
   http://downloads.asterisk.org/pub/security/AST-2018-003.html
   http://downloads.asterisk.org/pub/security/AST-2018-004.html
   http://downloads.asterisk.org/pub/security/AST-2018-005.html

Revision History:  March    12 2018: Added CVEs to two advisories.
                   February 28 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

		Asterisk Project Security Advisory - AST-2018-002

       Product         Asterisk

       Summary         Crash when given an invalid SDP media format description

 Nature of Advisory    Remote crash

   Susceptibility      Remote Authenticated Sessions

      Severity         Minor

   Exploits Known      No

     Reported On       January 15, 2018

     Reported By       Sandro Gauci

      Posted On        February 21, 2018

   Last Updated On     February 19, 2018

  Advisory Contact     Kevin Harwell <kharwell AT diguim DOT com>

      CVE Name         CVE-2018-1000098



     Description       By crafting an SDP message with an invalid media format description Asterisk
                       crashes when using the pjsip channel driver because pjproject's sdp parsing
                       algorithm fails to catch the invalid media format description.


                       The severity of this vulnerability is lessened since an endpoint must be
                       authenticated prior to reaching the crash point, or it's configured with no
                       authentication.


     Resolution        Stricter validation is now done when pjproject parses an SDP's media format
                       description. Invalid values are now properly handled.


		       Affected Versions

              Product                  Release
                                       Series

       Asterisk Open Source             13.x      All Releases

       Asterisk Open Source             14.x      All Releases

       Asterisk Open Source             15.x      All Releases

        Certified Asterisk              13.18     All Releases


			 Corrected In

	     Product                                             Release

       Asterisk Open Source                              13.19.2, 14.7.6, 15.2.2

	Certified Asterisk                                     13.18-cert3




Patches

SVN URL                                             Revision

http://downloads.asterisk.org/pub/security/         Asterisk 13
AST-2018-002-13.diff

http://downloads.asterisk.org/pub/security/         Asterisk 14
AST-2018-002-14.diff

http://downloads.asterisk.org/pub/security/         Asterisk 15
AST-2018-002-15.diff

http://downloads.asterisk.org/pub/security/         Certified Asterisk 13.18
AST-2018-002-13.18.diff



Links          https://issues.asterisk.org/jira/browse/ASTERISK-27582


Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version
will be posted at http://downloads.digium.com/pub/security/AST-2018-002.pdf and
http://downloads.digium.com/pub/security/AST-2018-002.html


                               Revision History

Date                 Editor                     Revisions Made

January 30, 2018     Kevin Harwell              Initial Revision


               Asterisk Project Security Advisory - AST-2018-002
              Copyright (C) 2018 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

- ----------------------------------------------------------------------------------
               Asterisk Project Security Advisory - AST-2018-003

       Product         Asterisk

       Summary         Crash with an invalid SDP fmtp attribute

 Nature of Advisory    Remote crash

   Susceptibility      Remote Authenticated Sessions

      Severity         Minor

   Exploits Known      No

     Reported On       January 15, 2018

     Reported By       Sandro Gauci

      Posted On        February 21, 2018

   Last Updated On     February 19, 2018

  Advisory Contact     Kevin Harwell <kharwell AT diguim DOT com>

      CVE Name         CVE-2018-1000099



     Description       By crafting an SDP message body with an invalid fmtp attribute Asterisk crashes
                       when using the pjsip channel driver because pjproject's fmtp retrieval function
                       fails to check if fmtp value is empty (set empty if previously parsed as
                       invalid).


                       The severity of this vulnerability is lessened since an endpoint must be
                       authenticated prior to reaching the crash point, or it's configured with no
                       authentication.


     Resolution        A stricter check is now done when pjproject retrieves the fmtp attribute. Empty
                       values are now properly handled.


                               Affected Versions

              Product                  Release
                                       Series

       Asterisk Open Source             13.x      All Releases

       Asterisk Open Source             14.x      All Releases

       Asterisk Open Source             15.x      All Releases

        Certified Asterisk              13.18     All Releases



			 Corrected In

	     Product                                             Release

       Asterisk Open Source                              13.19.2, 14.7.6, 15.2.2

	Certified Asterisk                                     13.18-cert3




                                    Patches

SVN URL                                             Revision

http://downloads.asterisk.org/pub/security/         Asterisk 13
AST-2018-003-13.diff

http://downloads.asterisk.org/pub/security/         Asterisk 14
AST-2018-003-14.diff

http://downloads.asterisk.org/pub/security/         Asterisk 15
AST-2018-003-15.diff

http://downloads.asterisk.org/pub/security/         Certified Asterisk 13.18
AST-2018-003-13.18.diff



        Links          https://issues.asterisk.org/jira/browse/ASTERISK-27583


Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version
will be posted at http://downloads.digium.com/pub/security/AST-2018-003.pdf and
http://downloads.digium.com/pub/security/AST-2018-003.html


                               Revision History

Date                   Editor                                Revisions Made

January 30, 2018     Kevin Harwell              Initial Revision


               Asterisk Project Security Advisory - AST-2018-003
              Copyright (C) 2018 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

- ----------------------------------------------------------------------------------
               Asterisk Project Security Advisory - AST-2018-004

       Product         Asterisk

       Summary         Crash when receiving SUBSCRIBE request

 Nature of Advisory    Remote Crash

   Susceptibility      Remote Unauthenticated Sessions

      Severity         Major

   Exploits Known      No

     Reported On       January 30, 2018

     Reported By       Sandro Gauci

      Posted On        February 21, 2018

   Last Updated On     February 21, 2018

  Advisory Contact     Joshua Colp <jcolp AT digium DOT com>

      CVE Name         CVE-2018-7284



     Description       When processing a SUBSCRIBE request the res_pjsip_pubsub module stores the
                       accepted formats present in the Accept headers of the request. This code did
                       not limit the number of headers it processed despite having a fixed limit of
                       32. If more than 32 Accept headers were present the code would write outside of
                       its memory and cause a crash.


     Resolution        The res_pjsip_pubsub module has been changed to enforce a limit on the maximum
                       number of Accept headers it will process. To receive this change upgrade to the
                       version of Asterisk where this is resolved or apply the appropriate provided
                       patch.


		       Affected Versions

              Product                  Release
                                       Series

       Asterisk Open Source             13.x      All versions

       Asterisk Open Source             14.x      All versions

       Asterisk Open Source             15.x      All versions

        Certified Asterisk              13.18     All versions


			 Corrected In

	     Product                                             Release

       Asterisk Open Source                              13.19.2, 14.7.6, 15.2.2

	Certified Asterisk                                     13.18-cert3


			    Patches

SVN URL                                             Revision

http://downloads.asterisk.org/pub/security/         Asterisk 13
AST-2018-004-13.diff

http://downloads.asterisk.org/pub/security/         Asterisk 14
AST-2018-004-14.diff

http://downloads.asterisk.org/pub/security/         Asterisk 15
AST-2018-004-15.diff

http://downloads.asterisk.org/pub/security/         Certified Asterisk 13.18
AST-2018-004-13.18.diff



Links          https://issues.asterisk.org/jira/browse/ASTERISK-27640


Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version
will be posted at http://downloads.digium.com/pub/security/AST-2018-004.pdf and
http://downloads.digium.com/pub/security/AST-2018-004.html


                               Revision History

Date                 Editor                     Revisions Made

February 5, 2018     Joshua Colp                Initial Revision

February 21, 2018    Joshua Colp                Added CVE


               Asterisk Project Security Advisory - AST-2018-004
              Copyright (C) 2018 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

- ----------------------------------------------------------------------------------
               Asterisk Project Security Advisory - AST-2018-005

       Product         Asterisk

       Summary         Crash when large numbers of TCP connections are closed suddenly

 Nature of Advisory    Remote Crash

   Susceptibility      Remote Authenticated Sessions

      Severity         Moderate

   Exploits Known      No

     Reported On       January 24, 2018

     Reported By       Sandro Gauci

      Posted On        February 21, 2018

   Last Updated On     February 21, 2018

  Advisory Contact     gjoseph AT digium DOT com

      CVE Name         CVE-2018-7286



     Description       A crash occurs when a number of authenticated INVITE messages are sent over TCP
                       or TLS and then the connection is suddenly closed. This issue leads to a
                       segmentation fault.


     Resolution        A patch to asterisk is available that prevents the crash by locking the
                       underlying transport until a response is sent.




                               Affected Versions

              Product                  Release
                                       Series

       Asterisk Open Source             13.x      All Versions

       Asterisk Open Source             14.x      All Versions

       Asterisk Open Source             15.x      All Versions

        Certified Asterisk              13.18     All Versions


                                 Corrected In

	     Product                                             Release

       Asterisk Open Source                              13.19.2, 14.7.6, 15.2.2

	Certified Asterisk                                     13.18-cert3


			    Patches

SVN URL                                             Revision

http://downloads.asterisk.org/pub/security/         Asterisk 13
AST-2018-005-13.diff

http://downloads.asterisk.org/pub/security/         Asterisk 14
AST-2018-005-14.diff

http://downloads.asterisk.org/pub/security/         Asterisk 15
AST-2018-005-15.diff

http://downloads.asterisk.org/pub/security/         Certified Asterisk 13.18
AST-2018-005-13.18.diff



Links          https://issues.asterisk.org/jira/browse/ASTERISK-27618

	       http://downloads.asterisk.org/pub/security/AST-2018-005.html


Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version
will be posted at http://downloads.digium.com/pub/security/AST-2018-005.pdf and
http://downloads.digium.com/pub/security/AST-2018-005.html


	       Revision History

Date                 Editor                     Revisions Made

February 6, 2018     George Joseph              Initial Revision


               Asterisk Project Security Advisory - AST-2018-005
              Copyright (C) 2018 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWqYUs4x+lLeg9Ub1AQgwMxAAmP2iZZWRdvnOt1yVG8rHPXDrb8+zRC84
3Pk5Had4ehwS8JOzAdBIlHPzTj7Hshk59phJjsZfj7xoxefnyEp96PIKo8BxUfG4
IjFQr5ZAs6M3R0U4+zYCPPpBxRDGWrpjDnZcPp7igmxhEvVJ/4OVwdjY9uRHvIhf
5FcnUPamTRI/iWVfS4F++83olWa4npw+AiiT3P1k3XEb9VM6GC4gyS7bp0ThiLP3
ioGSJeL31pDDWRZMLINr1IyzLhdTSJko40PGHkzQnD5wlSsjX+HNkaz2Ot1p863h
pCEoLJ+kyfsHhMmacsRyAwv/WAfWDroUExeV+uneUKU1Rc/9aw7HTNKTzLnsKPcA
hBUTxV4Y6i8M2xX9bedGJ0/AkWG1DzR27H9HZCFKUN1haYEnFD6mBQhFsJu1RHL5
hvwBFfxoTHvZSFm7Y3FmWcoVjAw6hkppmRRzEj4GedeNv3I/Vie5GoQE/kEJ0jgP
/CzLOszLj5Xh2lQmwWg1PwkkMPfWt8bV+EI8d6asxK7CiRdu1BKgLmNwO+w8sroC
gxERUYlTvSZMlLFbcu6TYz2TifLeRmP9/SalxT8jgOT+xoaIgCUPvYOvbALqp1Kl
IMwA/e+XuJZV+9nL13HFx874a2mNv38NwYG4/luUEfmMXfxqsm7upJdFT4t+JrJU
QqAu34NGV8c=
=1oap
-----END PGP SIGNATURE-----

« Back to bulletins