Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.1171 Asterisk Project Security Advisory - AST-2013-004 and AST-2013-005 29 August 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Asterisk Open Source Certified Asterisk Asterisk with Digiumphones Publisher: Digium Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-5642 CVE-2013-5641 Original Bulletin: http://downloads.asterisk.org/pub/security/AST-2013-004.html http://downloads.asterisk.org/pub/security/AST-2013-005.html Comment: This bulletin contains two (2) Digium security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Asterisk Project Security Advisory - AST-2013-004 Product Asterisk Summary Remote Crash From Late Arriving SIP ACK With SDP Nature of Advisory Remote Crash Susceptibility Remote Unauthenticated Sessions Severity Major Exploits Known None Reported On February 11, 2013 Reported By Colin Cuthbertson Posted On August 27, 2013 Last Updated On August 28, 2013 Advisory Contact Joshua Colp <jcolp AT digium DOT com> CVE Name CVE-2013-5641 Description A remotely exploitable crash vulnerability exists in the SIP channel driver if an ACK with SDP is received after the channel has been terminated. The handling code incorrectly assumes that the channel will always be present. Resolution A check has now been added which only parses SDP and applies it if an Asterisk channel is present. Note that Walter Doekes, OSSO B.V., is responsible for diagnosing and providing the fix for this issue. Affected Versions Product Release Series Asterisk Open Source 1.8.x 1.8.17.0 and above Asterisk Open Source 11.x All versions Certified Asterisk 1.8.15 All versions Certified Asterisk 11.2 All versions Corrected In Product Release Asterisk Open Source 1.8.23.1, 11.5.1 Certified Asterisk 1.8.15-cert3, 11.2-cert2 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2013-004-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2013-004-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2013-004-1.8.15-cert.diff Certified Asterisk 1.8.15 http://downloads.asterisk.org/pub/security/AST-2013-004-11.2-cert.diff Certified Asterisk 11.1 Links https://issues.asterisk.org/jira/browse/ASTERISK-21064 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2013-004.pdf and http://downloads.digium.com/pub/security/AST-2013-004.html Revision History Date Editor Revisions Made 2013-08-22 Joshua Colp Initial revision. 2013-08-28 Matt Jordan Updated with CVE. Asterisk Project Security Advisory - AST-2013-004 Copyright (c) 2013 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. - ------------------------------------------------------------------------------ Asterisk Project Security Advisory - AST-2013-005 Product Asterisk Summary Remote Crash when Invalid SDP is sent in SIP Request Nature of Advisory Remote Crash Susceptibility Remote Unauthenticated Sessions Severity Major Exploits Known None Reported On July 03, 2013 Reported By Walter Doekes, OSSO B.V. Posted On August 27, 2013 Last Updated On August 28, 2013 Advisory Contact Matthew Jordan <mjordan AT digium DOT com> CVE Name CVE-2013-5642 Description A remotely exploitable crash vulnerability exists in the SIP channel driver if an invalid SDP is sent in a SIP request that defines media descriptions before connection information. The handling code incorrectly attempts to reference the socket address information even though that information has not yet been set. Resolution This patch adds checks when handling the various media descriptions that ensures the media descriptions are handled only if we have connection information suitable for that media. Thanks to Walter Doekes of OSSO B.V. for finding, reporting, testing, and providing the fix for this problem. Affected Versions Product Release Series Asterisk Open Source 1.8.x All Versions Asterisk Open Source 10.x All Versions Asterisk Open Source 11.x All Versions Certified Asterisk 1.8.15 All Versions Certified Asterisk 11.2 All Versions Asterisk with Digiumphones 10.x-digiumphones All Versions Corrected In Product Release Asterisk Open Source 1.8.23.1, 10.12.3, 11.5.1 Certified Asterisk 1.8.15-cert3, 11.2-cert2 Asterisk with Digiumphones 10.12.3-digiumphones Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2013-005-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2013-005-10.diff Asterisk 10 http://downloads.asterisk.org/pub/security/AST-2013-005-10-digiumphones.diff Asterisk 10-digiumphones http://downloads.asterisk.org/pub/security/AST-2013-005-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2013-005-1.8.15.diff Certified Asterisk 1.8.15 http://downloads.asterisk.org/pub/security/AST-2013-005-11.2.diff Certified Asterisk 11.2 Links https://issues.asterisk.org/jira/browse/ASTERISK-22007 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2013-005.pdf and http://downloads.digium.com/pub/security/AST-2013-005.html Revision History Date Editor Revisions Made 2013-08-27 Matt Jordan Initial Revision. 2013-08-28 Matt Jordan Updated CVE. Asterisk Project Security Advisory - AST-2013-005 Copyright (c) 2013 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUh6z1RLndAQH1ShLAQKEwQ/9ElkiZUfVEtPK7FVKIkvKpWLfO1Gufuai ZlXK5VzCN5142Ct+rWiGzK5Imm/EtVZeAK+WUDPGiQmK3cIqQ4gBCQ2Al/K0qLTp TyW/6JIyn5SFFQeCttyP/GtxuPOjkR+myXAZNsAbA1Uv8gJGctCU/5tzhnmVpGrM wBwIG7shOrqSasMsQ2p3nJHt8vy5RF3ZA1M49LlXiBDj1nvzPmffmFR8rXvBw9ZU LOK1EVQH3YZLarPo3NCUjPw1AFhqcsHpvkeBijbt7brckRFf/Frkp4TbMxXwGphp wH2msEt78UHcANneJ+YLUpBY2xeMvlve1oxWi+Q8rF7m0xrXTHlGutUfYfD5qDZ+ uwy4wX3NXXlaV0XimfF7IhEwYRqloGGHHR5pp65XvOrfaPvxjl9c4ShiHl362i9+ n2NwG2FtB8Qf5p3ohDx82ZdabBeG0kTyT4s6xDTTz2fUqL2mZVXJud97NY8MV6ZG c12JOeqxllpyUCT79Ru8SqNSvAW+m/u6vLX6hUiXGfbi1ORrFPn6T5PYPbRSvhrf bbP5bS+xnPtNLPPogLTlBh/4PDwr4GnJs+AK+be2gnAJ/57Eipp7kNyG++Q4rkZJ KgMPwiKEKLyzsq6tLsxS/OCyItG00fQo30zG0viQJd6ksv5OTzbC/ngSM2vKsJ8G kthjA/xopro= =tRBS -----END PGP SIGNATURE-----