Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0624 Asterisk Project Security Advisories 19 February 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Asterisk Publisher: Asterisk Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-26906 CVE-2021-26717 CVE-2021-26714 CVE-2021-26712 CVE-2020-35776 Original Bulletin: http://downloads.asterisk.org/pub/security/AST-2021-001.html http://downloads.asterisk.org/pub/security/AST-2021-002.html http://downloads.asterisk.org/pub/security/AST-2021-003.html http://downloads.asterisk.org/pub/security/AST-2021-004.html http://downloads.asterisk.org/pub/security/AST-2021-005.html Comment: This bulletin contains five (5) Asterisk security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Asterisk Project Security Advisory - AST-2021-001 Product Asterisk Summary Remote crash in res_pjsip_diversion Nature of Advisory Denial of service Susceptibility Remote authenticated sessions Severity Moderate Exploits Known No Reported On December 28 2020 Reported By Ivan Poddubny Posted On January 04 2021 Last Updated On January 04 2021 Advisory Contact gjoseph AT sangoma DOT com CVE Name CVE-2020-35776 Description If a registered user is tricked into dialing a malicious number that sends lots of 181 responses to Asterisk, each one will cause a 181 to be sent back to the original caller with an increasing number of entries in the Supported header. Eventually the number of entries in the header exceeds the size of the entry array and causes a crash. Modules Affected res_pjsip_diversion.c Resolution Before updating the Supported header with a new entry, Asterisk now checks that the entry doesn't already exist and that adding an entry won't exceed the size of the entry array. Affected Versions Product Release Series Asterisk Open Source 13. X 13.38.1 Asterisk Open Source 16. X 16.15.1 Asterisk Open Source 17. X 17.9.1 Asterisk Open Source 18.X 18.1.1 Corrected In Product Release Asterisk Open Source 13.38.2, 16.16.1, 17.9.2, 18.2.1 Patches Patch URL Revision https://downloads.digium.com/pub/security/ 13.38.2 AST-2021-001 -13.diff https://downloads.digium.com/pub/security/ 16.16.1 AST-2021-001 -16.diff https://downloads.digium.com/pub/security/ 17.9.2 AST-2021-001 -17.diff https://downloads.digium.com/pub/security/ 18.2.1 AST-2021-001 -18.diff Links https://issues.asterisk.org/jira/browse/ASTERISK-29227 https://downloads.asterisk.org/pub/security/ AST-2021-001 .html Asterisk Project Security Advisories are posted at http://www.asterisk.org/ security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/ AST-2021-001 .pdf and https://downloads.digium.com/pub/security/ AST-2021-001 .html Revision History Date Editor Revisions Made December 29, 2020 George Joseph Initial revision Asterisk Project Security Advisory - AST-2021-001 Copyright (C) 2020 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. - -------------------------------------------------------------------------------- Asterisk Project Security Advisory - AST-2021-002 Product Asterisk Summary Remote crash possible when negotiating T.38 Nature of Advisory Denial of service Susceptibility Remote authenticated sessions Severity Minor Exploits Known No Reported On December 8, 2020 Reported By Gregory Massel Posted On Last Updated On February 5, 2021 Advisory Contact kharwell AT sangoma DOT com CVE Name CVE-2021-26717 Description When re- negotiating for T.38 if the initial remote response was delayed just enough Asterisk would send both audio and T.38 in the SDP. If this happened, and the remote responded with a declined T.38 stream then Asterisk would crash. Modules Affected res_pjsip_session.c, res_pjsip_t38.c Resolution When re-negotiating for T.38, and a delay occurs Asterisk now sends SDP only for the expected T.38 stream. A check was also put in place to ensure an active T.38 media stream is active within Asterisk when attempting to change state for fax. Affected Versions Product Release Introduced Series Asterisk Open Source 1 6 .x 16.15.0 Asterisk Open Source 17.x 17.9.0 Asterisk Open Source 18.x 18.1.0 Certified Asterisk 1 6 .8 16.8-cert4 Corrected In Product Release Asterisk Open Source 16.16.1, 17.9.2, 18.2.1 Certified Asterisk 16.8-cert6 Patches Patch URL Revision https://downloads.asterisk.org/pub/security/ Asterisk 16 AST-2021-002-16.diff https://downloads.asterisk.org/pub/security/ Asterisk 17 AST-2021-002-17.diff https://downloads.asterisk.org/pub/security/ Asterisk 18 AST-2021-002-18.diff https://downloads.asterisk.org/pub/security/ Certified Asterisk 16.8-cert6 AST-2021-002-16.8.diff Links https://issues.asterisk.org/jira/browse/ASTERISK-29203 https://downloads.asterisk.org/pub/security/ AST-2021-002 .html Asterisk Project Security Advisories are posted at http://www.asterisk.org/ security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/ AST-2021-002 .pdf and http://downloads.digium.com/pub/security/ AST-2021-002 .html Revision History Date Editor Revisions Made February 1, 2021 Kevin Harwell Initial revision Asterisk Project Security Advisory - AST-2021-002 Copyright (C) 2021 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. - -------------------------------------------------------------------------------- Asterisk Project Security Advisory - AST-2021-003 Product Asterisk Summary Remote attacker could prematurely tear down SRTP calls Nature of Advisory Denial of Service Susceptibility Remote unauthenticated sessions Severity Moderate Exploits Known No Reported On January 22, 2021 Reported By Alexander Traud Posted On Last Updated On February 18, 2021 Advisory Contact gjoseph AT sangoma DOT com CVE Name CVE-2021-26712 Description An unauthenticated remote attacker could replay SRTP packets which could cause an Asterisk instance configured without strict RTP validation to tear down calls prematurely. Modules Affected res_srtp.c res_rtp_asterisk.c Resolution Asterisk now implements SRTP replay protection via a srtpreplayprotection option in rtp.conf. The default is yes Affected Versions Product Release Series Asterisk Open Source 13.x 13.38.1 Asterisk Open Source 16.x 16.16.0 Asterisk Open Source 17.x 17.9.1 Asterisk Open Source 18.x 18.2.0 Certified Asterisk 16.x 16.8-cert5 Corrected In Product Release Asterisk Open Source 13.38.2, 16.16.1, 17.9.2, 18.2.1 Certified Asterisk 16.8-cert6 Patches Patch URL Revision https:/downloads.asterisk.org/pub/security/ 13.38.2 AST-2021-003 -13.diff https:/downloads.asterisk.org/pub/security/ 16.16.1 AST-2021-003 -16.diff https:/downloads.asterisk.org/pub/security/ 17.9.2 AST-2021-003 -17.diff https:/downloads.asterisk.org/pub/security/ 18.2.1 AST-2021-003 -18.diff https:/downloads.asterisk.org/pub/security/ Certified Asterisk 16.8-cert6 AST-2021-003 -16.8.diff Links https://issues.asterisk.org/jira/browse/ASTERISK-29260 https://downloads.asterisk.org/pub/security/ AST-2021-003 .html Asterisk Project Security Advisories are posted at http://www.asterisk.org/ security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/ AST-2021-003 .pdf and https://downloads.digium.com/pub/security/ AST-2021-003 .html Revision History Date Editor Revisions Made February 4, 2021 George Joseph Initial February 5, 2021 George Joseph Added CVE ID Asterisk Project Security Advisory - AST-2021-003 Copyright (C) 2021 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. - -------------------------------------------------------------------------------- Asterisk Project Security Advisory - AST-2021-004 Product Asterisk Summary An unsuspecting user could crash Asterisk with multiple hold/unhold requests Nature of Advisory Denial of Service Susceptibility Remote authenticated sessions Severity Moderate Exploits Known No Reported On December 9, 2020 Reported By Edvin Vidmar Posted On Last Updated On February 11, 2021 Advisory Contact gjoseph AT sangoma DOT com CVE Name CVE-2021-26714 Description Due to a signedness comparison mismatch, an authenticated WebRTC client could cause a stack overflow and Asterisk crash by sending multiple hold/unhold requests in quick succession. Modules Affected res_rtp_asterisk.c Resolution The packet size comparison terms have been corrected. Affected Versions Product Release Series Asterisk Open Source 16.x 16.16.0 Asterisk Open Source 17.x 17.9.1 Asterisk Open Source 18.x 18.2.0 Certified Asterisk 16.x 16.8-cert5 Corrected In Product Release Asterisk Open Source 16.16.1, 17.9.2, 18.2.1 Certified Asterisk 16.8-cert6 Patches Patch URL Revision https:/downloads.asterisk.org/pub/security/ Asterisk 16 AST-2021-004 -16.diff https:/downloads.asterisk.org/pub/security/ Asterisk 17 AST-2021-004 -17.diff https:/downloads.asterisk.org/pub/security/ Asterisk 18 AST-2021-004 -18.diff https:/downloads.asterisk.org/pub/security/ Certified Asterisk 16.8-cert6 AST-2021-004 -16.8.diff Links https://issues.asterisk.org/jira/browse/ASTERISK-29205 https://downloads.asterisk.org/pub/security/ AST-2021-004 .html Asterisk Project Security Advisories are posted at http://www.asterisk.org/ security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/ AST-2021-004 .pdf and https://downloads.digium.com/pub/security/ AST-2021-004 .html Revision History Date Editor Revisions Made February 4, 2021 George Joseph Initial revision February 9, 2021 George Joseph Added CVE Asterisk Project Security Advisory - AST-2021-004 Copyright (C) 2021 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. - -------------------------------------------------------------------------------- Asterisk Project Security Advisory - AST-2021-005 Product Asterisk Summary Remote Crash Vulnerability in PJSIP channel driver Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated Sessions Severity Moderate Exploits Known No Reported On December 4, 2020 Reported By Mauri de Souza Meneguzzo (3CPlus) Posted On February 8, 2021 Last Updated On February 8, 2021 Advisory Contact Jcolp AT sangoma DOT com CVE Name CVE-2021-26906 Description Given a scenario where an outgoing call is placed from Asterisk to a remote SIP server it is possible for a crash to occur. The code responsible for negotiating SDP in SIP responses incorrectly assumes that SDP negotiation will always be successful. If a SIP response containing an SDP that can not be negotiated is received a subsequent SDP negotiation on the same call can cause a crash. If the accept_multiple_sdp_answers option in the system section of pjsip.conf is set to yes then any subsequent non-forked SIP response with SDP can trigger this crash. If the follow_early_media_fork option in the system section of pjsip.conf is set to yes (the default) then any subsequent SIP responses with SDP from a forked destination can trigger this crash. If a 200 OK with SDP is received from a forked destination it can also trigger this crash, even if the follow_early_media_fork option is not set to yes. In all cases this relies on a race condition with tight timing where the second SDP negotiation occurs before termination of the call due to the initial SDP negotiation failure. Modules Affected res_pjsip_session.c, PJSIP Resolution The issue has been fixed in PJSIP by changing the behavior of the pjmedia_sdp_neg_modify_local_offer2 function. If SDP was previously negotiated the code no longer assumes that it was successful and instead checks that SDP was negotiated. This issue can only be resolved by upgrading to a fixed version or applying the provided patch. Affected Versions Product Release Series Asterisk Open Source 13.x All versions Asterisk Open Source 16.x All versions Asterisk Open Source 17.x All versions Asterisk Open Source 18.x All versions Certified Asterisk 16.x All versions Corrected In Product Release Asterisk Open Source 13.38.2, 16.16.1, 17.9.2, 18.2.1 Certified Asterisk 16.8-cert6 Patches Patch URL Revision https://downloads.asterisk.org/pub/security/ Asterisk 13 AST-2021-005-13.diff https://downloads.asterisk.org/pub/security/ Asterisk 16 AST-2021-005-16.diff https://downloads.asterisk.org/pub/security/ Asterisk 17 AST-2021-005-17.diff https://downloads.asterisk.org/pub/security/ Asterisk 18 AST-2021-005-18.diff https://downloads.asterisk.org/pub/security/ Certified Asterisk 16.8 AST-2021-005-16.8.diff Links https://issues.asterisk.org/jira/browse/ASTERISK-29196 https://downloads.asterisk.org/pub/security/ AST-2021-005 .html Asterisk Project Security Advisories are posted at http://www.asterisk.org/ security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/ AST-2021-005 .pdf and http://downloads.digium.com/pub/security/ AST-2021-005 .html Revision History Date Editor Revisions Made February 8, 2021 Joshua Colp Initial revision Asterisk Project Security Advisory - AST-2021-005 Copyright (C) 2021 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYC9B0uNLKJtyKPYoAQjHOxAAhnbVVt/aR2R0wBolmMkhUUS/E3DQ2U79 RrzUdeukcUReB05p6pTPPiVPJn3mrS/dSnmhFTPhsBNBGTucgeiczLkva5AlxVp2 qnMU6nujRtv1H+HcpZz92DWOb+2bptDUCLMhViCCAJBqc9jN12+vggoPhTErDUbw 0fLW9MNOLIjcQTD54pZ1bp4Fgst0DCulU84/1w0rhY8T+Vbjmv5jif3uR1Jvj8rB CwoXMiEPProY//urMCKZN1Rpoq09C+VigjW0zuXIpkFtr9GvCVAy8WnNhGvJf/1G 4nlazpAyEfI56G1ZjSuN9dOJxiC8trRpJ7AlX2q8UStO60JSsc+lmyMtq4Rt5c9j dpeUnMEAkJwenzBaPyBh/0W9apfYVcknutTkfJFS32yvbZdRWtcGjGs5Xk/RkOrF IRoxx8kx6/jogHrG2ZXWQJALMKJMXAromeDSZjl0BaIvrouS2a/WdGEYgwbjnx4d iPWtS4Mg/FTxpOY3zlFcPcaj00ahUDulImr6e9po+zgCub72Z+p96MT7v+foXNoN MX9a2HLETn64uodZLQ7YZk56VEqGGwBseWKErav1EnFaykaqG6R77Ah6KFIwVn/t VyolZ/26kxy1ycrDGG5drMTXRg4v7RwBLFPxkBWjFY014MxX0ibdehAYI1uzVmr3 NRAX21qXZX8= =+Nqd -----END PGP SIGNATURE-----