AST-2014-009: Remote Crash Based On Malformed SIP Subscription Requests
Asterisk Project Security Advisory – AST-2014-009
Product Asterisk
Summary Remote crash based on malformed SIP subscription
requests
Nature of Advisory Remotely triggered crash of Asterisk
Susceptibility Remote authenticated sessions
Severity Major
Exploits Known No
Reported On 30 July, 2014
Reported By Mark Michelson
Posted On 18 September, 2014
Last Updated On September 18, 2014
Advisory Contact Mark Michelson
CVE Name Pending
Description It is possible to trigger a crash in Asterisk by sending a
SIP SUBSCRIBE request with unexpected mixes of headers for
a given event package. The crash occurs because Asterisk
allocates data of one type at one layer and then interprets
the data as a separate type at a different layer. The crash
requires that the SUBSCRIBE be sent from a configured
endpoint, and the SUBSCRIBE must pass any authentication
that has been configured.
Note that this crash is Asterisk’s PJSIP-based
res_pjsip_pubsub module and not in the old chan_sip module.
Resolution Type-safety has been built into the pubsub API where it
previously was absent. A test has been added to the
testsuite that previously would have triggered the crash.
Affected Versions
Product Release
Series
Asterisk Open Source 1.8.x Unaffected
Asterisk Open Source 11.x Unaffected
Asterisk Open Source 12.x 12.1.0 and up
Certified Asterisk 1.8.15 Unaffected
Certified Asterisk 11.6 Unaffected
Corrected In
Product Release
Asterisk Open Source 12.5.1
Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2014-009-12.diff Asterisk
12
Links https://issues.asterisk.org/jira/browse/ASTERISK-24136
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2014-009.pdf and
http://downloads.digium.com/pub/security/AST-2014-009.html
Revision History
Date Editor Revisions Made
19 August, 2014 Mark Michelson Initial version of document
Asterisk Project Security Advisory – AST-2014-009
Copyright (c) 2014 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.