Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.0624
Asterisk Project Security Advisories
19 February 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Asterisk
Publisher: Asterisk
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-26906 CVE-2021-26717 CVE-2021-26714
CVE-2021-26712 CVE-2020-35776
Original Bulletin:
http://downloads.asterisk.org/pub/security/AST-2021-001.html
http://downloads.asterisk.org/pub/security/AST-2021-002.html
http://downloads.asterisk.org/pub/security/AST-2021-003.html
http://downloads.asterisk.org/pub/security/AST-2021-004.html
http://downloads.asterisk.org/pub/security/AST-2021-005.html
Comment: This bulletin contains five (5) Asterisk security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Asterisk Project Security Advisory - AST-2021-001
Product Asterisk
Summary Remote crash in res_pjsip_diversion
Nature of Advisory Denial of service
Susceptibility Remote authenticated sessions
Severity Moderate
Exploits Known No
Reported On December 28 2020
Reported By Ivan Poddubny
Posted On January 04 2021
Last Updated On January 04 2021
Advisory Contact gjoseph AT sangoma DOT com
CVE Name CVE-2020-35776
Description If a registered user is tricked into dialing a malicious number that sends lots
of 181 responses to Asterisk, each one will cause a 181 to be sent back to the
original caller with an increasing number of entries in the Supported
header. Eventually the number of entries in the header exceeds the size of the
entry array and causes a crash.
Modules Affected res_pjsip_diversion.c
Resolution Before updating the Supported header with a new entry, Asterisk now checks
that the entry doesn't already exist and that adding an entry won't exceed
the size of the entry array.
Affected Versions
Product Release
Series
Asterisk Open Source 13. X 13.38.1
Asterisk Open Source 16. X 16.15.1
Asterisk Open Source 17. X 17.9.1
Asterisk Open Source 18.X 18.1.1
Corrected In
Product Release
Asterisk Open Source 13.38.2, 16.16.1, 17.9.2, 18.2.1
Patches
Patch URL Revision
https://downloads.digium.com/pub/security/ 13.38.2
AST-2021-001 -13.diff
https://downloads.digium.com/pub/security/ 16.16.1
AST-2021-001 -16.diff
https://downloads.digium.com/pub/security/ 17.9.2
AST-2021-001 -17.diff
https://downloads.digium.com/pub/security/ 18.2.1
AST-2021-001 -18.diff
Links https://issues.asterisk.org/jira/browse/ASTERISK-29227
https://downloads.asterisk.org/pub/security/ AST-2021-001 .html
Asterisk Project Security Advisories are posted at http://www.asterisk.org/
security
This document may be superseded by later versions; if so, the latest version
will be posted at https://downloads.digium.com/pub/security/ AST-2021-001 .pdf
and https://downloads.digium.com/pub/security/ AST-2021-001 .html
Revision History
Date Editor Revisions Made
December 29, 2020 George Joseph Initial revision
Asterisk Project Security Advisory - AST-2021-001
Copyright (C) 2020 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
- --------------------------------------------------------------------------------
Asterisk Project Security Advisory - AST-2021-002
Product Asterisk
Summary Remote crash possible when negotiating T.38
Nature of Advisory Denial of service
Susceptibility Remote authenticated sessions
Severity Minor
Exploits Known No
Reported On December 8, 2020
Reported By Gregory Massel
Posted On
Last Updated On February 5, 2021
Advisory Contact kharwell AT sangoma DOT com
CVE Name CVE-2021-26717
Description When re- negotiating for T.38 if the initial remote response was delayed just
enough Asterisk would send both audio and T.38 in the SDP. If this happened,
and the remote responded with a declined T.38 stream then Asterisk would crash.
Modules Affected res_pjsip_session.c, res_pjsip_t38.c
Resolution When re-negotiating for T.38, and a delay occurs Asterisk now sends SDP only
for the expected T.38 stream. A check was also put in place to ensure an active
T.38 media stream is active within Asterisk when attempting to change state for
fax.
Affected Versions
Product Release Introduced
Series
Asterisk Open Source 1 6 .x 16.15.0
Asterisk Open Source 17.x 17.9.0
Asterisk Open Source 18.x 18.1.0
Certified Asterisk 1 6 .8 16.8-cert4
Corrected In
Product Release
Asterisk Open Source 16.16.1, 17.9.2, 18.2.1
Certified Asterisk 16.8-cert6
Patches
Patch URL Revision
https://downloads.asterisk.org/pub/security/ Asterisk 16
AST-2021-002-16.diff
https://downloads.asterisk.org/pub/security/ Asterisk 17
AST-2021-002-17.diff
https://downloads.asterisk.org/pub/security/ Asterisk 18
AST-2021-002-18.diff
https://downloads.asterisk.org/pub/security/ Certified Asterisk 16.8-cert6
AST-2021-002-16.8.diff
Links https://issues.asterisk.org/jira/browse/ASTERISK-29203
https://downloads.asterisk.org/pub/security/ AST-2021-002 .html
Asterisk Project Security Advisories are posted at http://www.asterisk.org/
security
This document may be superseded by later versions; if so, the latest version
will be posted at http://downloads.digium.com/pub/security/ AST-2021-002 .pdf
and http://downloads.digium.com/pub/security/ AST-2021-002 .html
Revision History
Date Editor Revisions Made
February 1, 2021 Kevin Harwell Initial revision
Asterisk Project Security Advisory - AST-2021-002
Copyright (C) 2021 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
- --------------------------------------------------------------------------------
Asterisk Project Security Advisory - AST-2021-003
Product Asterisk
Summary Remote attacker could prematurely tear down SRTP calls
Nature of Advisory Denial of Service
Susceptibility Remote unauthenticated sessions
Severity Moderate
Exploits Known No
Reported On January 22, 2021
Reported By Alexander Traud
Posted On
Last Updated On February 18, 2021
Advisory Contact gjoseph AT sangoma DOT com
CVE Name CVE-2021-26712
Description An unauthenticated remote attacker could replay SRTP packets which could cause
an Asterisk instance configured without strict RTP validation to tear down
calls prematurely.
Modules Affected res_srtp.c res_rtp_asterisk.c
Resolution Asterisk now implements SRTP replay protection via a srtpreplayprotection
option in rtp.conf. The default is yes
Affected Versions
Product Release
Series
Asterisk Open Source 13.x 13.38.1
Asterisk Open Source 16.x 16.16.0
Asterisk Open Source 17.x 17.9.1
Asterisk Open Source 18.x 18.2.0
Certified Asterisk 16.x 16.8-cert5
Corrected In
Product Release
Asterisk Open Source 13.38.2, 16.16.1, 17.9.2, 18.2.1
Certified Asterisk 16.8-cert6
Patches
Patch URL Revision
https:/downloads.asterisk.org/pub/security/ 13.38.2
AST-2021-003 -13.diff
https:/downloads.asterisk.org/pub/security/ 16.16.1
AST-2021-003 -16.diff
https:/downloads.asterisk.org/pub/security/ 17.9.2
AST-2021-003 -17.diff
https:/downloads.asterisk.org/pub/security/ 18.2.1
AST-2021-003 -18.diff
https:/downloads.asterisk.org/pub/security/ Certified Asterisk 16.8-cert6
AST-2021-003 -16.8.diff
Links https://issues.asterisk.org/jira/browse/ASTERISK-29260
https://downloads.asterisk.org/pub/security/ AST-2021-003 .html
Asterisk Project Security Advisories are posted at http://www.asterisk.org/
security
This document may be superseded by later versions; if so, the latest version
will be posted at https://downloads.digium.com/pub/security/ AST-2021-003 .pdf
and https://downloads.digium.com/pub/security/ AST-2021-003 .html
Revision History
Date Editor Revisions Made
February 4, 2021 George Joseph Initial
February 5, 2021 George Joseph Added CVE ID
Asterisk Project Security Advisory - AST-2021-003
Copyright (C) 2021 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
- --------------------------------------------------------------------------------
Asterisk Project Security Advisory - AST-2021-004
Product Asterisk
Summary An unsuspecting user could crash Asterisk with multiple hold/unhold requests
Nature of Advisory Denial of Service
Susceptibility Remote authenticated sessions
Severity Moderate
Exploits Known No
Reported On December 9, 2020
Reported By Edvin Vidmar
Posted On
Last Updated On February 11, 2021
Advisory Contact gjoseph AT sangoma DOT com
CVE Name CVE-2021-26714
Description Due to a signedness comparison mismatch, an authenticated WebRTC client could
cause a stack overflow and Asterisk crash by sending multiple hold/unhold
requests in quick succession.
Modules Affected res_rtp_asterisk.c
Resolution The packet size comparison terms have been corrected.
Affected Versions
Product Release
Series
Asterisk Open Source 16.x 16.16.0
Asterisk Open Source 17.x 17.9.1
Asterisk Open Source 18.x 18.2.0
Certified Asterisk 16.x 16.8-cert5
Corrected In
Product Release
Asterisk Open Source 16.16.1, 17.9.2, 18.2.1
Certified Asterisk 16.8-cert6
Patches
Patch URL Revision
https:/downloads.asterisk.org/pub/security/ Asterisk 16
AST-2021-004 -16.diff
https:/downloads.asterisk.org/pub/security/ Asterisk 17
AST-2021-004 -17.diff
https:/downloads.asterisk.org/pub/security/ Asterisk 18
AST-2021-004 -18.diff
https:/downloads.asterisk.org/pub/security/ Certified Asterisk 16.8-cert6
AST-2021-004 -16.8.diff
Links https://issues.asterisk.org/jira/browse/ASTERISK-29205
https://downloads.asterisk.org/pub/security/ AST-2021-004 .html
Asterisk Project Security Advisories are posted at http://www.asterisk.org/
security
This document may be superseded by later versions; if so, the latest version
will be posted at https://downloads.digium.com/pub/security/ AST-2021-004 .pdf
and https://downloads.digium.com/pub/security/ AST-2021-004 .html
Revision History
Date Editor Revisions Made
February 4, 2021 George Joseph Initial revision
February 9, 2021 George Joseph Added CVE
Asterisk Project Security Advisory - AST-2021-004
Copyright (C) 2021 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
- --------------------------------------------------------------------------------
Asterisk Project Security Advisory - AST-2021-005
Product Asterisk
Summary Remote Crash Vulnerability in PJSIP channel driver
Nature of Advisory Denial of Service
Susceptibility Remote Unauthenticated Sessions
Severity Moderate
Exploits Known No
Reported On December 4, 2020
Reported By Mauri de Souza Meneguzzo (3CPlus)
Posted On February 8, 2021
Last Updated On February 8, 2021
Advisory Contact Jcolp AT sangoma DOT com
CVE Name CVE-2021-26906
Description Given a scenario where an outgoing call is placed from Asterisk to a remote SIP
server it is possible for a crash to occur.
The code responsible for negotiating SDP in SIP responses incorrectly assumes
that SDP negotiation will always be successful. If a SIP response containing an
SDP that can not be negotiated is received a subsequent SDP negotiation on the
same call can cause a crash.
If the accept_multiple_sdp_answers option in the system section of
pjsip.conf is set to yes then any subsequent non-forked SIP response with
SDP can trigger this crash.
If the follow_early_media_fork option in the system section of
pjsip.conf is set to yes (the default) then any subsequent SIP responses
with SDP from a forked destination can trigger this crash.
If a 200 OK with SDP is received from a forked destination it can also trigger
this crash, even if the follow_early_media_fork option is not set to yes.
In all cases this relies on a race condition with tight timing where the second
SDP negotiation occurs before termination of the call due to the initial SDP
negotiation failure.
Modules Affected res_pjsip_session.c, PJSIP
Resolution The issue has been fixed in PJSIP by changing the behavior of the
pjmedia_sdp_neg_modify_local_offer2 function. If SDP was previously negotiated
the code no longer assumes that it was successful and instead checks that SDP
was negotiated.
This issue can only be resolved by upgrading to a fixed version or applying the
provided patch.
Affected Versions
Product Release
Series
Asterisk Open Source 13.x All versions
Asterisk Open Source 16.x All versions
Asterisk Open Source 17.x All versions
Asterisk Open Source 18.x All versions
Certified Asterisk 16.x All versions
Corrected In
Product Release
Asterisk Open Source 13.38.2, 16.16.1, 17.9.2, 18.2.1
Certified Asterisk 16.8-cert6
Patches
Patch URL Revision
https://downloads.asterisk.org/pub/security/ Asterisk 13
AST-2021-005-13.diff
https://downloads.asterisk.org/pub/security/ Asterisk 16
AST-2021-005-16.diff
https://downloads.asterisk.org/pub/security/ Asterisk 17
AST-2021-005-17.diff
https://downloads.asterisk.org/pub/security/ Asterisk 18
AST-2021-005-18.diff
https://downloads.asterisk.org/pub/security/ Certified Asterisk 16.8
AST-2021-005-16.8.diff
Links https://issues.asterisk.org/jira/browse/ASTERISK-29196
https://downloads.asterisk.org/pub/security/ AST-2021-005 .html
Asterisk Project Security Advisories are posted at http://www.asterisk.org/
security
This document may be superseded by later versions; if so, the latest version
will be posted at http://downloads.digium.com/pub/security/ AST-2021-005 .pdf
and http://downloads.digium.com/pub/security/ AST-2021-005 .html
Revision History
Date Editor Revisions Made
February 8, 2021 Joshua Colp Initial revision
Asterisk Project Security Advisory - AST-2021-005
Copyright (C) 2021 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYC9B0uNLKJtyKPYoAQjHOxAAhnbVVt/aR2R0wBolmMkhUUS/E3DQ2U79
RrzUdeukcUReB05p6pTPPiVPJn3mrS/dSnmhFTPhsBNBGTucgeiczLkva5AlxVp2
qnMU6nujRtv1H+HcpZz92DWOb+2bptDUCLMhViCCAJBqc9jN12+vggoPhTErDUbw
0fLW9MNOLIjcQTD54pZ1bp4Fgst0DCulU84/1w0rhY8T+Vbjmv5jif3uR1Jvj8rB
CwoXMiEPProY//urMCKZN1Rpoq09C+VigjW0zuXIpkFtr9GvCVAy8WnNhGvJf/1G
4nlazpAyEfI56G1ZjSuN9dOJxiC8trRpJ7AlX2q8UStO60JSsc+lmyMtq4Rt5c9j
dpeUnMEAkJwenzBaPyBh/0W9apfYVcknutTkfJFS32yvbZdRWtcGjGs5Xk/RkOrF
IRoxx8kx6/jogHrG2ZXWQJALMKJMXAromeDSZjl0BaIvrouS2a/WdGEYgwbjnx4d
iPWtS4Mg/FTxpOY3zlFcPcaj00ahUDulImr6e9po+zgCub72Z+p96MT7v+foXNoN
MX9a2HLETn64uodZLQ7YZk56VEqGGwBseWKErav1EnFaykaqG6R77Ah6KFIwVn/t
VyolZ/26kxy1ycrDGG5drMTXRg4v7RwBLFPxkBWjFY014MxX0ibdehAYI1uzVmr3
NRAX21qXZX8=
=+Nqd
-----END PGP SIGNATURE-----