copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.0989 - [Win][UNIX/Linux] Asterisk: Multiple vulnerabilities

Date: 16 June 2014

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0989
         Multiple vulnerabilities have been identified in Asterisk
                               16 June 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Asterisk
Publisher:         Digium
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Increased Privileges -- Existing Account      
                   Denial of Service    -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-4048 CVE-2014-4047 CVE-2014-4046
                   CVE-2014-4045  

Original Bulletin: 
   http://downloads.digium.com/pub/security/AST-2014-005.html
   http://downloads.digium.com/pub/security/AST-2014-006.html
   http://downloads.digium.com/pub/security/AST-2014-007.html
   http://downloads.digium.com/pub/security/AST-2014-008.html

Comment: This bulletin contains four (4) Digium security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

               Asterisk Project Security Advisory - AST-2014-005

         Product        Asterisk                                              
         Summary        Remote Crash in PJSIP Channel Driver's                
                        Publish/Subscribe Framework                           
    Nature of Advisory  Denial of Service                                     
      Susceptibility    Remote Unauthenticated Sessions                       
         Severity       Moderate                                              
      Exploits Known    No                                                    
       Reported On      March 17, 2014                                        
       Reported By      John Bigelow <jbigelow AT digium DOT com>             
        Posted On       June 12, 2014                                         
     Last Updated On    June 12, 2014                                         
     Advisory Contact   Kevin Harwell <kharwell AT digium DOT com>            
         CVE Name       CVE-2014-4045                                         

    Description  A remotely exploitable crash vulnerability exists in the     
                 PJSIP channel driver's pub/sub framework. If an attempt is   
                 made to unsubscribe when not currently subscribed and the    
                 endpoint's "sub_min_expiry" is set to zero, Asterisk tries   
                 to create an expiration timer with zero seconds, which is    
                 not allowed, so an assertion raised.                         

    Resolution  Upgrade to a version with the patch integrated, apply the     
                patch, or make sure the "sub_min_expiry" endpoint             
                configuration option is greater than zero.                    

                               Affected Versions
                 Product               Release Series  
          Asterisk Open Source              12.x       All                    

                                  Corrected In    
                      Product                              Release            
             Asterisk Open Source 12.x                      12.3.1            

                                    Patches                        
                               SVN URL                              Revision  
   http://downloads.asterisk.org/pub/security/AST-2014-005-12.diff Asterisk   
                                                                   12         

       Links     https://issues.asterisk.org/jira/browse/ASTERISK-23489       

    Asterisk Project Security Advisories are posted at                        
    http://www.asterisk.org/security                                          
                                                                              
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    http://downloads.digium.com/pub/security/AST-2014-005.pdf and             
    http://downloads.digium.com/pub/security/AST-2014-005.html                

                                Revision History
          Date                  Editor                 Revisions Made         
    April 14, 2014     Kevin Harwell             Document Creation            
    June 12, 2014      Matt Jordan               Added CVE                    

               Asterisk Project Security Advisory - AST-2014-005
              Copyright (c) 2014 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

- ---------------------------------------------------------------------------
               Asterisk Project Security Advisory - AST-2014-006

          Product         Asterisk                                            
          Summary         Asterisk Manager User Unauthorized Shell Access     
     Nature of Advisory   Permission Escalation                               
       Susceptibility     Remote Authenticated Sessions                       
          Severity        Minor                                               
       Exploits Known     No                                                  
        Reported On       April 9, 2014                                       
        Reported By       Corey Farrell                                       
         Posted On        June 12, 2014                                       
      Last Updated On     June 12, 2014                                       
      Advisory Contact    Jonathan Rose < jrose AT digium DOT com >           
          CVE Name        CVE-2014-4046                                       

    Description  Manager users can execute arbitrary shell commands with the  
                 MixMonitor manager action. Asterisk does not require system  
                 class authorization for a manager user to use the            
                 MixMonitor action, so any manager user who is permitted to   
                 use manager commands can potentially execute shell commands  
                 as the user executing the Asterisk process.                  

    Resolution  Upgrade to a version with the patch integrated, apply the     
                patch, or do not allow users who should not have permission   
                to run shell commands to use AMI.                             

                               Affected Versions
                 Product               Release Series  
          Asterisk Open Source              11.x       All                    
          Asterisk Open Source              12.x       All                    
           Certified Asterisk               11.6       All                    

                                  Corrected In
                   Product                              Release               
             Asterisk Open Source                   11.10.1, 12.3.1           
              Certified Asterisk                       11.6-cert3             

                                     Patches                         
                                SVN URL                              Revision  
   http://downloads.asterisk.org/pub/security/AST-2014-006-11.diff   Asterisk  
                                                                     11        
   http://downloads.asterisk.org/pub/security/AST-2014-006-12.diff   Asterisk  
                                                                     12        
   http://downloads.asterisk.org/pub/security/AST-2014-006-11.6.diff Certified 
                                                                     Asterisk  
                                                                     11.6      

       Links     https://issues.asterisk.org/jira/browse/ASTERISK-23609       

    Asterisk Project Security Advisories are posted at                        
    http://www.asterisk.org/security                                          
                                                                              
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    http://downloads.digium.com/pub/security/AST-2014-006.pdf and             
    http://downloads.digium.com/pub/security/AST-2014-006.html                

                                Revision History
          Date                  Editor                 Revisions Made         
    April 23, 2014     Jonathan Rose             Document Creation            
    June 12, 2014      Matt Jordan               Added CVE                    

               Asterisk Project Security Advisory - AST-2014-006
              Copyright (c) 2014 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.
- ---------------------------------------------------------------------------
               Asterisk Project Security Advisory - AST-2014-007

          Product         Asterisk                                            
          Summary         Exhaustion of Allowed Concurrent HTTP Connections   
     Nature of Advisory   Denial Of Service                                   
       Susceptibility     Remote Unauthenticated Sessions                     
          Severity        Moderate                                            
       Exploits Known     No                                                  
        Reported On       May 25, 2014                                        
        Reported By       Richard Mudgett                                     
         Posted On        May 9, 2014                                         
      Last Updated On     June 12, 2014                                       
      Advisory Contact    Richard Mudgett <rmudgett AT digium DOT com>        
          CVE Name        CVE-2014-4047                                       

    Description  Establishing a TCP or TLS connection to the configured HTTP  
                 or HTTPS port respectively in http.conf and then not         
                 sending or completing a HTTP request will tie up a HTTP      
                 session. By doing this repeatedly until the maximum number   
                 of open HTTP sessions is reached, legitimate requests are    
                 blocked.                                                     

    Resolution  The patched versions now have a session_inactivity timeout    
                option in http.conf that defaults to 30000 ms. Users should   
                upgrade to a corrected version, apply the released patches,   
                or disable HTTP support.                                      

                               Affected Versions
                Product              Release Series  
         Asterisk Open Source            1.8.x       All versions             
         Asterisk Open Source             11.x       All versions             
         Asterisk Open Source             12.x       All versions             
          Certified Asterisk             1.8.15      All versions             
          Certified Asterisk              11.6       All versions             

                                  Corrected In
                 Product                              Release                 
          Asterisk Open Source               1.8.28.1, 11.10.1, 12.3.1        
           Certified Asterisk                1.8.15-cert6, 11.6-cert3         

                                      Patches                          
                                 SVN URL                               Revision  
   http://downloads.asterisk.org/pub/security/AST-2014-007-1.8.diff    Asterisk  
                                                                       1.8       
   http://downloads.asterisk.org/pub/security/AST-2014-007-11.diff     Asterisk  
                                                                       11        
   http://downloads.asterisk.org/pub/security/AST-2014-007-12.diff     Asterisk  
                                                                       12        
   http://downloads.asterisk.org/pub/security/AST-2014-007-1.8.15.diff Certified 
                                                                       Asterisk  
                                                                       1.8.15    
   http://downloads.asterisk.org/pub/security/AST-2014-007-11.6.diff   Certified 
                                                                       Asterisk  
                                                                       11.6      

       Links     https://issues.asterisk.org/jira/browse/ASTERISK-23673       

    Asterisk Project Security Advisories are posted at                        
    http://www.asterisk.org/security                                          
                                                                              
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    http://downloads.digium.com/pub/security/AST-2014-007.pdf and             
    http://downloads.digium.com/pub/security/AST-2014-007.html                

                                Revision History
          Date                  Editor                 Revisions Made         
    May 9, 2014        Richard Mudgett           Document Creation            
    June 12, 2014      Matt Jordan               Added CVE                    

               Asterisk Project Security Advisory - AST-2014-007
              Copyright (c) 2014 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.
- ---------------------------------------------------------------------------
               Asterisk Project Security Advisory - AST-2014-008

         Product        Asterisk                                              
         Summary        Denial of Service in PJSIP Channel Driver             
                        Subscriptions                                         
    Nature of Advisory  Denial of Service                                     
      Susceptibility    Remote authenticated sessions                         
         Severity       Moderate                                              
      Exploits Known    No                                                    
       Reported On      28 May, 2014                                          
       Reported By      Mark Michelson                                        
        Posted On       June 12, 2014                                         
     Last Updated On    June 12, 2014                                         
     Advisory Contact   Mark Michelson <mmichelson AT digium DOT com>         
         CVE Name       CVE-2014-4048                                         

    Description  When a SIP transaction timeout caused a subscription to be   
                 terminated, the action taken by Asterisk was guaranteed to   
                 deadlock the thread on which SIP requests are serviced.      
                                                                              
                 Note that this behavior could only happen on established     
                 subscriptions, meaning that this could only be exploited if  
                 an attacker bypassed authentication and successfully         
                 subscribed to a real resource on the Asterisk server.        

    Resolution  The socket-servicing thread is now no longer capable of       
                dispatching synchronous tasks to other threads since that     
                may result in deadlocks.                                      

                               Affected Versions
                Product              Release Series  
         Asterisk Open Source             12.x       All versions             

                                  Corrected In  
                     Product                              Release             
               Asterisk Open Source                        12.3.1             

                                    Patches                        
                               SVN URL                              Revision  
   http://downloads.asterisk.org/pub/security/AST-2014-008-12.diff Asterisk   
                                                                   12         

       Links     https://issues.asterisk.org/jira/browse/ASTERISK-23802       

    Asterisk Project Security Advisories are posted at                        
    http://www.asterisk.org/security                                          
                                                                              
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    http://downloads.digium.com/pub/security/AST-2014-008.pdf and             
    http://downloads.digium.com/pub/security/AST-2014-008.html                

                                Revision History
          Date                  Editor                 Revisions Made         
    June 6, 2014       Mark Michelson            Document Creation            
    June 12, 2014      Matt Jordan               Added CVE                    

               Asterisk Project Security Advisory - AST-2014-008
              Copyright (c) 2014 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU55cwRLndAQH1ShLAQLfjxAArYJzHqvBa0Pcv54QwADKeCMzHzzc99oA
wIEaMi2R86YN5/YKoOfiTMY5o75ucb+9/6DAfGnsX6HEB5DhU8VZJmuFo+ekn7v6
+d3J9nRMvmBxhHq9AvTQEMBRrc9V7KAVtviXO0svNUWTxuYL6SnDf2ZsAi7nMAYH
d1QKjWthv3zZ5ukHrfYJh/ETArD6pWFhuOB2o2bLj/5GAHboNgigUXRvVdmk07+p
xtZe689GalFVMQfaaVcZPbluTrrXPAbUpFYnKwOMdMW+YfchqktOqUA8tmmIA85b
BsHakClvI0/KrDPY/rT5aQw4gjQQDAojNq7Nn4tCzZyRZOBBKB2Uvi27NTsJLfwa
suLOVr1fieTUhovBxMPVe5EMiiDIPNkR2YCWOluYg2q6zJs9sxrApApz9n3z52LI
yyAEiIPZqxm5sRoY5D9BmgdwbizylsW8koBca2NsnrFXJLHDi+sWLDShgK82OlPX
YvftItMxxLFLTJXOJDlo6IkgnziN8CCw2hLBPtBBL+GL59mXbb5DnOimia/OIU2e
kmR1UWBlIaJMFXL4PtZSSKFoIAYyeuryhSQsa1Ek3p1dzUNf3eJwADwfwUttGLJA
YUvdfTsxI+AC+nQGHp7QHH7VR/kuhdNn4yOe+4LoonWti6Gd1cIWj2sjBtoDK7hJ
3YvMfdJvsMw=
=ogR4
-----END PGP SIGNATURE-----