Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2011.1231.2 Two Asterisk vulnerabilities found and patched 20 December 2011 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Asterisk Publisher: Asterisk Operating System: UNIX variants (UNIX, Linux, OSX) Impact/Access: Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2011-4598 CVE-2011-4597 Reference: ESB-2011.1268 Original Bulletin: http://downloads.asterisk.org/pub/security/AST-2011-013.pdf http://downloads.asterisk.org/pub/security/AST-2011-014.pdf Comment: This bulletin contains two (2) Asterisk security advisories. Revision History: December 20 2011: CVE numbers have been assigned December 12 2011: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Asterisk Project Security Advisory - AST-2011-013 Product Asterisk Summary Possible remote enumeration of SIP endpoints with differing NAT settings Nature of Advisory Unauthorized data disclosure Susceptibility Remote unauthenticated sessions Severity Minor Exploits Known Yes Reported On 2011-07-18 Reported By Ben Williams Posted On Last Updated On December 7, 2011 Advisory Contact Terry Wilson <twilson@digium.com> CVE Name Description It is possible to enumerate SIP usernames when the general and user/peer NAT settings differ in whether to respond to the port a request is sent from or the port listed for responses in the Via header. In 1.4 and 1.6.2, this would mean if one setting was nat=yes or nat=route and the other was either nat=no or nat=never. In 1.8 and 10, this would mean when one was nat=force_rport or nat=yes and the other was nat=no or nat=comedia. Resolution Handling NAT for SIP over UDP requires the differing behavior introduced by these options. To lessen the frequency of unintended username disclosure, the default NAT setting was changed to always respond to the port from which we received the request-the most commonly used option. Warnings were added on startup to inform administrators of the risks of having a SIP peer configured with a different setting than that of the general setting. The documentation now strongly suggests that peers are no longer configured for NAT individually, but through the global setting in the "general" context. Affected Versions Product Release Series Asterisk Open Source All All versions Corrected In As this is more of an issue with SIP over UDP in general, there is no fix supplied other than documentation on how to avoid the problem. The default NAT setting has been changed to what we believe the most commonly used setting for the respective version in Asterisk 1.4.43, 1.6.2.21, and 1.8.7.2. Links Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2011-013.pdf and http://downloads.digium.com/pub/security/AST-2011-013.html Revision History Date Editor Revisions Made Asterisk Project Security Advisory - AST-2011-013 Copyright (c) 2011 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. - ------------------------------------------------------------------------------ Asterisk Project Security Advisory - AST-2011-014 Product Asterisk Summary Remote crash possibility with SIP and the "automon" feature enabled Nature of Advisory Remote crash vulnerability in a feature that is disabled by default Susceptibility Remote unauthenticated sessions Severity Moderate Exploits Known Yes Reported On November 2, 2011 Reported By Kristijan Vrban Posted On 2011-11-03 Last Updated On December 7, 2011 Advisory Contact Terry Wilson <twilson@digium.com> CVE Name Description When the "automon" feature is enabled in features.conf, it is possible to send a sequence of SIP requests that cause Asterisk to dereference a NULL pointer and crash. Resolution Applying the referenced patches that check that the pointer is not NULL before accessing it will resolve the issue. The "automon" feature can be disabled in features.conf as a workaround. Affected Versions Product Release Series Asterisk Open Source 1.6.2.x All versions Asterisk Open Source 1.8.x All versions Corrected In Product Release Asterisk Open Source 1.6.2.21, 1.8.7.2 Patches Download URL Revision http://downloads.asterisk.org/pub/security/AST-2011-014-1.6.2.diff 1.6.2.20 http://downloads.asterisk.org/pub/security/AST-2011-014-1.8.diff 1.8.7.1 Links Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2011-014.pdf and http://downloads.digium.com/pub/security/AST-2011-014.html Revision History Date Editor Revisions Made Asterisk Project Security Advisory - AST-2011-014 Copyright (c) 2011 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTu/fme4yVqjM2NGpAQLUgQ//ZPbp4TZ//L7HARV/z+otGnFB5GR/Pw6h uWpvjyJuDn706G3ahjTf8S+VBjPF3qqEEBjR7b1PBipp4efFHYsGKZk/V78kQqU9 Yz1Fv1wxenyc8W5FRTCMKF6yVrI9eWz3KDyLkpWAmSg7tUTqchHYq+UORqairlmx +BmquslzCphh4RK9ok2mbyHp9Gs3sR3VLhUkk1Cq/oMFyWpKK0hXP7dPWxDPUIC7 g5dyFij1js1uV5kzzWdj97WMUtHp6slG97Iq/Pm5B8XjySwLO1BAaVO3/mW2VVVU CN1WeG/rS1HVqQEdoF1oQLF799acxlyoetilCC3i3AkVO3M8iO/Y60EFc7TymOA6 ifEZQ0uYVzqR8KcdiPa93Sh0+68ZijdxeQCY5v/dA/mWE+alUanC2DQimlBooKyI +26YtVIs2lhOumj4CYdSFS2BcV1oopYNz+rVFBRpGu76rYM0VanCeMLetaoBxyjj 6KGUplwTvH6tJSvZBZLcDq8eFAb2pzkEaqaOLQkX/6iCeruuDz8fk5SVQ3DnlK3M 7BrlrKfp2HfRwegyqlUKzFZMBAyRoy5EFqFIOktEDGhkEqKctFKxubG32cuzmqMk 9kMFGCf4tayo1VfqzOJ20t+mdKS/b0wcXMMYIc0mMeIb/6LKBIyaQvvs/Xke2mN7 H/8GBCa/6vQ= =afJr -----END PGP SIGNATURE-----