copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2012.0401 - [UNIX/Linux] Asterisk: Multiple vulnerabilities

Date: 24 April 2012
References: ESB-2012.0411  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0401
             Asterisk Project Security Advisory - AST-2012-004
                               24 April 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Asterisk
Publisher:         Asterisk
Operating System:  UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Denial of Service               -- Existing Account
                   Unauthorised Access             -- Existing Account
Resolution:        Patch/Upgrade

Original Bulletin: 
   http://downloads.digium.com/pub/security/AST-2012-004.html
   http://downloads.digium.com/pub/security/AST-2012-005.html
   http://downloads.digium.com/pub/security/AST-2012-006.html

Comment: This bulletin contains three (3) Asterisk security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

               Asterisk Project Security Advisory - AST-2012-004

          Product         Asterisk                                            
          Summary         Asterisk Manager User Unauthorized Shell Access     
     Nature of Advisory   Permission Escalation                               
       Susceptibility     Remote Authenticated Sessions                       
          Severity        Minor                                               
       Exploits Known     No                                                  
        Reported On       February 23, 2011                                   
        Reported By       David Woolley                                       
         Posted On        April 23, 2012                                      
      Last Updated On     April 23, 2012                                      
      Advisory Contact    Jonathan Rose < jrose AT digium DOT com >           
          CVE Name        

    Description  A user of the Asterisk Manager Interface can bypass a        
                 security check and execute shell commands when they lack     
                 permission to do so. Under normal conditions, a user should  
                 only be able to run shell commands if that user has System   
                 class authorization. Users could bypass this restriction by  
                 using the MixMonitor application with the originate action   
                 or by using either the GetVar or Status manager actions in   
                 combination with the SHELL and EVAL functions. The patch     
                 adds checks in each affected action to verify if a user has  
                 System class authorization. If the user does not have those  
                 authorizations, Asterisk rejects the action if it detects    
                 the use of any functions or applications that run system     
                 commands.                                                    

    Resolution  Asterisk now performs checks against manager commands that    
                cause these behaviors for each of the affected actions.       

                               Affected Versions
                 Product               Release Series  
          Asterisk Open Source            1.6.2.x      All versions           
          Asterisk Open Source             1.8.x       All versions           
          Asterisk Open Source              10.x       All versions           
        Asterisk Business Edition          C.3.x       All versions           

                                  Corrected In
                  Product                              Release                
           Asterisk Open Source              1.6.2.24, 1.8.11.1, 10.3.1       
         Asterisk Business Edition                     C.3.7.4                

                                     Patches                          
                                SVN URL                               Revision 
   http://downloads.asterisk.org/pub/security/AST-2012-004-1.6.2.diff v1.6.2   
   http://downloads.asterisk.org/pub/security/AST-2012-004-1.8.diff   v1.8     
   http://downloads.asterisk.org/pub/security/AST-2012-004-10.diff    v10      

       Links     https://issues.asterisk.org/jira/browse/ASTERISK-17465       

    Asterisk Project Security Advisories are posted at                        
    http://www.asterisk.org/security                                          
                                                                              
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    http://downloads.digium.com/pub/security/AST-2012-004.pdf and             
    http://downloads.digium.com/pub/security/AST-2012-004.html                

                                Revision History
          Date                  Editor                 Revisions Made         
    04/23/2012               Jonathan Rose             Initial Release              

               Asterisk Project Security Advisory - AST-2012-004
              Copyright (c) 2012 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

- ------------------------------------------------------------------------------

               Asterisk Project Security Advisory - AST-2012-005

          Product         Asterisk                                            
          Summary         Heap Buffer Overflow in Skinny Channel Driver       
     Nature of Advisory   Exploitable Heap Buffer Overflow                    
       Susceptibility     Remote Authenticated Sessions                       
          Severity        Minor                                               
       Exploits Known     No                                                  
        Reported On       March 26, 2012                                      
        Reported By       Russell Bryant                                      
         Posted On        April 23, 2012                                      
      Last Updated On     April 23, 2012                                      
      Advisory Contact    Matt Jordan < mjordan AT digium DOT com >           
          CVE Name        

    Description  In the Skinny channel driver, KEYPAD_BUTTON_MESSAGE events   
                 are queued for processing in a buffer allocated on the       
                 heap, where each DTMF value that is received is placed on    
                 the end of the buffer. Since the length of the buffer is     
                 never checked, an attacker could send sufficient             
                 KEYPAD_BUTTON_MESSAGE events such that the buffer is         
                 overrun.                                                     

    Resolution  The length of the buffer is now checked before appending a    
                value to the end of the buffer.                               

                               Affected Versions
                Product              Release Series  
         Asterisk Open Source           1.6.2.x      All Versions             
         Asterisk Open Source            1.8.x       All Versions             
         Asterisk Open Source             10.x       All Versions             

                                  Corrected In
                Product                              Release                  
          Asterisk Open Source              1.6.2.24, 1.8.11.1, 10.3.1        

                                     Patches                          
                                SVN URL                               Revision 
   http://downloads.asterisk.org/pub/security/AST-2012-005-1.6.2.diff v1.6.2   
   http://downloads.asterisk.org/pub/security/AST-2012-005-1.8.diff   v1.8     
   http://downloads.asterisk.org/pub/security/AST-2012-005-10.diff    v10      

       Links     https://issues.asterisk.org/jira/browse/ASTERISK-19592       

    Asterisk Project Security Advisories are posted at                        
    http://www.asterisk.org/security                                          
                                                                              
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    http://downloads.digium.com/pub/security/AST-2012-005.pdf and             
    http://downloads.digium.com/pub/security/AST-2012-005.html                

                                Revision History
          Date                  Editor                 Revisions Made         
    04/16/2012         Matt Jordan               Initial Release              

               Asterisk Project Security Advisory - AST-2012-005
              Copyright (c) 2012 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

- ------------------------------------------------------------------------------

               Asterisk Project Security Advisory - AST-2012-006

          Product         Asterisk                                            
          Summary         Remote Crash Vulnerability in SIP Channel Driver    
     Nature of Advisory   Remote Crash                                        
       Susceptibility     Remote Authenticated Sessions                       
          Severity        Moderate                                            
       Exploits Known     No                                                  
        Reported On       April 16, 2012                                      
        Reported By       Thomas Arimont                                      
         Posted On        April 23, 2012                                      
      Last Updated On     April 23, 2012                                      
      Advisory Contact    Matt Jordan < mjordan AT digium DOT com >           
          CVE Name        

    Description  A remotely exploitable crash vulnerability exists in the     
                 SIP channel driver if a SIP UPDATE request is processed      
                 within a particular window of time. For this to occur, the   
                 following must take place:                                   
                                                                              
                 1. The setting 'trustrpid' must be set to True               
                                                                              
                 2. An UPDATE request must be received after a call has been  
                 terminated and the associated channel object has been        
                 destroyed, but before the SIP dialog associated with the     
                 call has been destroyed. Receiving the UPDATE request        
                 before the call is terminated or after the SIP dialog        
                 associated with the call will not cause the crash            
                 vulnerability described here.                                
                                                                              
                 3. The UPDATE request must be formatted with the             
                 appropriate headers to reflect an Asterisk connected line    
                 update. The information in the headers must reflect a        
                 different Caller ID then what was previously associated      
                 with the dialog.                                             
                                                                              
                 When these conditions are true, Asterisk will attempt to     
                 perform a connected line update with no associated channel,  
                 and will crash.                                              

    Resolution  Asterisk now ensures a channel exists before performing a     
                connected line update, when that connected line update is     
                initiated via a SIP UPDATE request.                           
                                                                              
                In Asterisk versions not containing the fix for this issue,   
                setting the 'trustrpid' setting to False will prevent this    
                crash from occurring (default is False)                       

                               Affected Versions
                 Product               Release Series  
          Asterisk Open Source             1.8.x       All versions           
          Asterisk Open Source              10.x       All versions           
        Asterisk Business Edition          C.3.x       All versions           

                                  Corrected In
                    Product                              Release              
              Asterisk Open Source                   1.8.11.1, 10.3.1         
           Asterisk Business Edition                     C.3.7.4              

                                    Patches                         
                               SVN URL                              Revision  
   http://downloads.asterisk.org/pub/security/AST-2012-006-1.8.diff v1.8      
   http://downloads.asterisk.org/pub/security/AST-2012-006-10.diff  v.10      

       Links     https://issues.asterisk.org/jira/browse/ASTERISK-19770       

    Asterisk Project Security Advisories are posted at                        
    http://www.asterisk.org/security                                          
                                                                              
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    http://downloads.digium.com/pub/security/AST-2012-006.pdf and             
    http://downloads.digium.com/pub/security/AST-2012-006.html                

                                Revision History
          Date                 Editor                  Revisions Made         
    04/16/2012         Matt Jordan              Initial release.              

               Asterisk Project Security Advisory - AST-2012-006
              Copyright (c) 2012 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBT5Yc1+4yVqjM2NGpAQLdQhAAsCTOfpts81N4HA6mPy15hyVeuFtWePJD
sSajSAh1V6f7Iy/dlRh0qpWv4NJu/mZUfBmg1iHWkAjLFe1dfyDSXHY2CnT+N8gk
5GK/Oa02F88HUpHxyeoRC2eYhmfQhEaT8sFnao3TqNU/lDauKMARCj5DFKfM48GY
2VT3HbEE6LHK7wFUlmtIxZwW9QHEhCXS6zXHkd96eEH68zhKW7HFIAHjlfRTyTwH
4bemilCH1fOC6pMZ+z4XoKQ9j7XB3DLbfdpMcrt/Vsb2npV1CYyyOoZCcTPg3ERC
f+b1eoyneX3LledtHkXvtKida/OB+53xO1YlwSpCXUJ3/36TyeohpELYotRNPNok
1NHShD2CtDMLqwnSWRJ51pDPxwO6uPPL9A5f6GHunEN+L04H+byGe/J7jkA/LOAs
VhXDHb7CvxfEgr1y9PaEs4nA5qlhFyC7MUnG+5cLC8q4T3KV2sFlsbnkJbwiTaiN
V4P6jg3WMaMV578dBbdqHpiwQlnroyFQ4LpsoF6WE+PQ0F1YPd8deOdAZUWQUahT
UN7hhtPozRCIfK5mrQ95iwxuoWFlZ61Jn45vRiOBS64yXa/xrzXUnhxGHNqiZk1C
u219Wlj4lWleYH43rUf0/4RTsTqqRiHGFhYvgcN6dMnvpgI9LKkDWEWQzinbHbzO
Ex4vy3/J/3g=
=WREG
-----END PGP SIGNATURE-----