Asterisk Project Security Advisory – AST-2012-006

Product Asterisk
Summary Remote Crash Vulnerability in SIP Channel Driver
Nature of Advisory Remote Crash
Susceptibility Remote Authenticated Sessions
Severity Moderate
Exploits Known No
Reported On April 16, 2012
Reported By Thomas Arimont
Posted On April 23, 2012
Last Updated On April 23, 2012
Advisory Contact Matt Jordan < mjordan AT digium DOT com >
CVE Name

Description A remotely exploitable crash vulnerability exists in the
SIP channel driver if a SIP UPDATE request is processed
within a particular window of time. For this to occur, the
following must take place:

1. The setting ‘trustrpid’ must be set to True

2. An UPDATE request must be received after a call has been
terminated and the associated channel object has been
destroyed, but before the SIP dialog associated with the
call has been destroyed. Receiving the UPDATE request
before the call is terminated or after the SIP dialog
associated with the call will not cause the crash
vulnerability described here.

3. The UPDATE request must be formatted with the
appropriate headers to reflect an Asterisk connected line
update. The information in the headers must reflect a
different Caller ID then what was previously associated
with the dialog.

When these conditions are true, Asterisk will attempt to
perform a connected line update with no associated channel,
and will crash.

Resolution Asterisk now ensures a channel exists before performing a
connected line update, when that connected line update is
initiated via a SIP UPDATE request.

In Asterisk versions not containing the fix for this issue,
setting the ‘trustrpid’ setting to False will prevent this
crash from occurring (default is False)

Affected Versions
Product Release Series
Asterisk Open Source 1.8.x All versions
Asterisk Open Source 10.x All versions
Asterisk Business Edition C.3.x All versions

Corrected In
Product Release
Asterisk Open Source 1.8.11.1, 10.3.1
Asterisk Business Edition C.3.7.4

Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2012-006-1.8.diff v1.8
http://downloads.asterisk.org/pub/security/AST-2012-006-10.diff v.10

Links https://issues.asterisk.org/jira/browse/ASTERISK-19770

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2012-006.pdf and
http://downloads.digium.com/pub/security/AST-2012-006.html

Revision History
Date Editor Revisions Made
04/16/2012 Matt Jordan Initial release.

Asterisk Project Security Advisory – AST-2012-006
Copyright (c) 2012 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

In the Skinny channel driver, KEYPAD_BUTTON_MESSAGE events are queued for processing in a buffer allocated on the heap, where each DTMF value that is received is placed on the end of the buffer. Since the length of the buffer is never checked, an attacker could send sufficient KEYPAD_BUTTON_MESSAGE events such that the buffer is overrun.

Now, the length of the buffer is now checked before appending a value to the end of the buffer.

Affected Versions:

• Product Release Series
• Asterisk Open Source 1.6.2.x All Versions
• Asterisk Open Source 1.8.x All Versions
• Asterisk Open Source 10.x All Versions

Corrected In Product Release:

• Asterisk Open Source 1.6.2.24, 1.8.11.1, 10.3.1

Asterisk Project Security Advisory – AST-2012-003

Product Asterisk
Summary Stack Buffer Overflow in HTTP Manager
Nature of Advisory Exploitable Stack Buffer Overflow
Susceptibility Remote Unauthenticated Sessions
Severity Critical
Exploits Known No
Reported On 03/15/2012
Reported By Russell Bryant
Posted On 03/15/2012
Last Updated On March 15, 2012
Advisory Contact Matt Jordan < mjordan AT digium DOT com >
CVE Name

Description An attacker attempting to connect to an HTTP session of the
Asterisk Manager Interface can send an arbitrarily long
string value for HTTP Digest Authentication. This causes a
stack buffer overflow, with the possibility of remote code
injection.

Resolution Upgrade to one of the versions of Asterisk listed in the
“Corrected In” section, or apply a patch specified in the
“Patches” section.

Affected Versions
Product Release Series
Asterisk Open Source 1.8.x All versions
Asterisk Open Source 10.x All versions

Corrected In
Product Release
Asterisk Open Source 1.8.10.1
Asterisk Open Source 10.2.1

Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2012-003-1.8.diff v1.8
http://downloads.asterisk.org/pub/security/AST-2012-003-10.diff v10

Links https://issues.asterisk.org/jira/browse/ASTERISK-19542

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at http://downloads.digium.com/pub/security/.pdf
and http://downloads.digium.com/pub/security/.html

Revision History
Date Editor Revisions Made
03-15-2012 Matt Jordan Initial release

Asterisk Project Security Advisory – AST-2012-003
Copyright (c) 2012 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

Asterisk Project Security Advisory – AST-2012-002

Product Asterisk
Summary Remote Crash Vulnerability in Milliwatt Application
Nature of Advisory Exploitable Stack Buffer Overflow with locally
defined data
Susceptibility Remote Unauthenticated Sessions
Severity Minor
Exploits Known No
Reported On 03/14/2012
Reported By Russell Bryant
Posted On 03/15/2012
Last Updated On March 15, 2012
Advisory Contact Matt Jordan
CVE Name

Description An attacker can cause Asterisk to crash in one of two ways:

1. A dialplan uses the Milliwatt application with ‘o’
option

2. The internal_timing opion in asterisk.conf is off

3. The attacker sends a large audio packet. The number of
samples in the audio packet determines the number of
internal data samples that are copied into the buffer. This
overruns the buffer, potentially causing a crash.

OR

1. A diaplan uses the Milliwatt application with the ‘o’
option

2. The attacker negotiates a media format with a sampling
rate greater than 32kHz. The application will attempt to
generate an audio packet using the sample rate of the
negotiated format, where the sample rate will require a
number of data points greater then the size of the buffer.
Again, the the application copies a number of internal data
samples into the buffer that are greater then the size of
the buffer, potentially causing a crash.

Note that the latter attack vector is only possible in
Asterisk 10, as it supports codecs with a sample rate
greater then 32kHz.

Resolution Upgrade to one of the versions of Asterisk listed in the
“Corrected In” section, or apply a patch specified in the
“Patches” section.

Affected Versions
Product Release Series
Asterisk Open Source 1.4.x All Versions
Asterisk Open Source 1.6.2.x All Versions
Asterisk Open Source 1.8.x All Versions
Asterisk Open Source 10.x All Versions

Corrected In
Product Release
Asterisk Open Source 1.4.44
Asterisk Open Source 1.6.2.23
Asterisk Open Source 1.8.10.1
Asterisk Open Source 10.2.1

Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2012-002-1.4.diff v1.4
http://downloads.asterisk.org/pub/security/AST-2012-002-1.6.2.diff v1.6.2
http://downloads.asterisk.org/pub/security/AST-2012-002-1.8.diff v1.8
http://downloads.asterisk.org/pub/security/AST-2012-002-10.diff v10

Links https://issues.asterisk.org/jira/browse/ASTERISK-19541

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at http://downloads.digium.com/pub/security/.pdf
and http://downloads.digium.com/pub/security/.html

Revision History
Date Editor Revisions Made
03/15/2012 Matt Jordan Initial Release

Asterisk Project Security Advisory – AST-2012-002
Copyright (c) 2012 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

The Asterisk Development Team is pleased to announce the release of Asterisk 1.8.9.0. This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/

The release of Asterisk 1.8.9.0 resolves several issues reported by the community and would have not been possible without your participation.

Thank you!

The following is a sample of the issues resolved in this release:

* AST-2012-001: prevent crash when an SDP offer is received with an encrypted video stream when support for video is disabled and res_srtp is loaded. (closes issue ASTERISK-19202)
Reported by: Catalin Sanda

* Handle AST_CONTROL_UPDATE_RTP_PEER frames in local bridge loop. Failing
to handle AST_CONTROL_UPDATE_RTP_PEER frames in the local bridge loop
causes the loop to exit prematurely. This causes a variety of negative side
effects, depending on when the loop exits. This patch handles the frame by
essentially swallowing the frame in the local loop, as the current channel
drivers expect the RTP bridge to handle the frame, and, in the case of the
local bridge loop, no additional action is necessary.
(closes issue ASTERISK-19095) Reported by: Stefan Schmidt Tested
by: Matt Jordan

* Fix timing source dependency issues with MOH. Prior to this patch,
res_musiconhold existed at the same module priority level as the timing
sources that it depends on. This would cause a problem when music on
hold was reloaded, as the timing source could be changed after
res_musiconhold was processed. This patch adds a new module priority
level, AST_MODPRI_TIMING, that the various timing modules are now loaded
at. This now occurs before loading other resource modules, such
that the timing source is guaranteed to be set prior to resolving
the timing source dependencies.
(closes issue ASTERISK-17474) Reporter: Luke H Tested by: Luke H,
Vladimir Mikhelson, zzsurf, Wes Van Tlghem, elguero, Thomas Arimont
Patched by elguero

* Fix RTP reference leak. If a blind transfer were initiated using a
REFER without a prior reINVITE to place the call on hold, AND if Asterisk
were sending RTCP reports, then there was a reference leak for the
RTP instance of the transferrer.
(closes issue ASTERISK-19192) Reported by: Tyuta Vitali

* Fix blind transfers from failing if an ‘h’ extension
is present. This prevents the ‘h’ extension from being run on the
transferee channel when it is transferred via a native transfer
mechanism such as SIP REFER. (closes issue ASTERISK-19173) Reported
by: Ross Beer Tested by: Kristjan Vrban Patches: ASTERISK-19173 by
Mark Michelson (license 5049)

* Restore call progress code for analog ports. Extracting sig_analog
from chan_dahdi lost call progress detection functionality. Fix
analog ports from considering a call answered immediately after
dialing has completed if the callprogress option is enabled.
(closes issue ASTERISK-18841)
Reported by: Richard Miller Patched by Richard Miller

* Fix regression that ‘rtp/rtcp set debup ip’ only works when a port
was also specified.
(closes issue ASTERISK-18693) Reported by: Davide Dal Reviewed by:
Walter Doekes

For a full list of changes in this release candidate, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.9.0

Thank you for your continued support of Asterisk!