-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.1737.2
                   Asterisk Project Security Advisories
                               13 June 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Asterisk
Publisher:         Asterisk
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Denial of Service -- Existing Account      
                   Reduced Security  -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-12228 CVE-2018-12227 

Original Bulletin: 
   http://downloads.asterisk.org/pub/security/AST-2018-007.html
   http://downloads.asterisk.org/pub/security/AST-2018-008.html

Comment: This bulletin contains two (2) Asterisk security advisories.

Revision History:  June 13 2018: Asterisk updated bulletins to include CVEs
                   June 12 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Asterisk Project Security Advisory - AST-2018-007

       Product         Asterisk

       Summary         Infinite loop when reading iostreams

 Nature of Advisory    Denial of Service

   Susceptibility      Remote Authenticated Sessions

      Severity         Critical

   Exploits Known      No

     Reported On       April 16, 2018

     Reported By       Sean Bright

      Posted On        June 11, 2018

   Last Updated On     June 11, 2018

  Advisory Contact     Kevin Harwell <kharwell AT digium DOT com>

      CVE Name         CVE-2018-12228


Description

When connected to Asterisk via TCP/TLS if the client abruptly disconnects, or
sends a specially crafted message then Asterisk gets caught in an infinite loop
while trying to read the data stream. Thus rendering the system as unusable.


Resolution

Stricter error checking is now done when iostreams encounters a problem. When
an error occurs during reading it is now properly handled, and continued
reading is appropriately stopped.


Affected Versions

Product                  Release   Series

Asterisk Open Source     15.x      All Releases


Corrected In

Product                Release

Asterisk Open Source   15.4.1


Patches

                     SVN URL                                             Revision

http://downloads.asterisk.org/pub/security/AST-2018-007-15.diff         Asterisk 15


Links
https://issues.asterisk.org/jira/browse/ASTERISK-27807


Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version
will be posted at http://downloads.digium.com/pub/security/AST-2018-007.pdf and
http://downloads.digium.com/pub/security/AST-2018-007.html


Revision History

Date                   Editor                   Revisions Made

April 25, 2018       Kevin Harwell              Initial Revision


               Asterisk Project Security Advisory - AST-2018-007
              Copyright (C) 2018 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

- -------------------------------------------------------------------------------

Asterisk Project Security Advisory - AST-2018-008

       Product         Asterisk

       Summary         PJSIP endpoint presence disclosure when using ACL

 Nature of Advisory    Unauthorized data disclosure

   Susceptibility      Remote Unauthenticated Sessions

      Severity         Minor

   Exploits Known      No

     Reported On       April 19, 2018

     Reported By       John

      Posted On        June 11, 2018

   Last Updated On     June 11, 2018

  Advisory Contact     Rmudgett AT digium DOT com

      CVE Name         CVE-2018-12227


Description

When endpoint specific ACL rules block a SIP request they respond with a 403
forbidden. However, if an endpoint is not identified then a 401 unauthorized
response is sent. This vulnerability just discloses which requests hit a
defined endpoint. The ACL rules cannot be bypassed to gain access to the
disclosed endpoints.


Resolution
Endpoint specific ACL rules now respond with a 401 challenge which is the same
as if an endpoint were not identified. An alternate is to use global ACL rules
to avoid the information disclosure.


Affected Versions

      Product                  Release   Series


Asterisk Open Source             13.x     13.10.0 and later

Asterisk Open Source             14.x     All releases

Asterisk Open Source             15.x     All releases

Certified Asterisk              13.18     All releases

Certified Asterisk              13.21     All releases


Corrected In

Product                 Release

Asterisk Open Source    13.21.1, 14.7.7, 15.4.1

Certified Asterisk      13.18-cert4, 13.21-cert2


Patches

SVN URL                                                             Revision

http://downloads.asterisk.org/pub/security/AST-2018-008-13.diff     Asterisk 13

http://downloads.asterisk.org/pub/security/AST-2018-008-14.diff     Asterisk 14

http://downloads.asterisk.org/pub/security/AST-2018-008-15.diff     Asterisk 15

http://downloads.asterisk.org/pub/security/AST-2018-008-13.18.diff  Certified Asterisk 13.18

http://downloads.asterisk.org/pub/security/AST-2018-008-13.21.diff  Certified Asterisk 13.21


Links

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version
will be posted at http://downloads.digium.com/pub/security/AST-2018-008.pdf and
http://downloads.digium.com/pub/security/AST-2018-008.html


Revision History

Date                   Editor                   Revisions Made

May 1, 2018          Richard Mudgett            Initial revision

June 11, 2018        Richard Mudgett            Added Certified Asterisk 13.21


               Asterisk Project Security Advisory - AST-2018-008
              Copyright (C) 2018 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWyCQ6WaOgq3Tt24GAQh/6RAAsrkbQnZvVovC8h0i0gyX9ELjDPxuGkRW
JcFzltxExtuNGlwLhAhO7hiBRa2ts3bbUmqAU9NJokrNXFDGcq4O55ytFxlrheof
FbrbR2iLVnUCMfaF52zKk1qi2OjeYgjQs6qQCIP2xCLQ3Oe6FXbFdXZoToyWVrg5
ylRTsa8Jgu+DQcB+m1t1R9/tIN9OsJ+D1eb4W5m9FsBdPJM1Jo2khtb0Zou4kR3v
CVtu839nfMWW1dlZxHC8r2TiK2upcH7VpnYgocXsYfxHRziQpbENTAGN9Q6BLP+L
vHgOtPpFLXUVLBbvzSB07zUmpahfMmGLSOblEIw4g4u7JJU5cT2t7vwPolspwOnt
v02r1Wh7IMc6+xKcSu51LOm+Ics8kwkPyLgeydNdXpMe85dUiSTrk5IP1kabeWzu
ojEWfphbegylueQGsoNIoQwZ92ut/vyHEyOCnbbt2JwuCuX5Uqmi4TA8eS5WrAzb
QjijwAWJqBIGZ+BLWFBZQuTejmU+v9H3LQqduCe3iC/jHPcJ//cJLQ+eNO8NtJ6B
VRj3Ck2q+mD0fsx2WU7OVfhGkrZBq7ndKG9YVp/up6R3i0nB5I18JrJtf/o0rPml
4vVpqtYpK1+Cc+83lCSpeHEG7nmXJv4opEo879tTc/yTp4LhGAKCF1r2kLnJSUKF
FwdiVTMuS5Y=
=5XCy
-----END PGP SIGNATURE-----