Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0019 Asterisk Project Security Advisory - AST-2012-014 & AST-2012-015 8 January 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Asterisk Open Source Certified Asterisk Asterisk Digiumphones Publisher: Asterisk Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2012-5977 CVE-2012-5976 Original Bulletin: http://downloads.digium.com/pub/security/AST-2012-014.html http://downloads.digium.com/pub/security/AST-2012-015.html Comment: This bulletin contains two (2) Asterisk security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Asterisk Project Security Advisory - AST-2012-014 Product Asterisk Summary Crashes due to large stack allocations when using TCP Nature of Advisory Stack Overflow Susceptibility Remote Unauthenticated Sessions (SIP) Remote Authenticated Sessions (XMPP, HTTP) Severity Critical Exploits Known No Reported On 7 November, 2012 Reported By Walter Doekes Posted On 2 January, 2013 Last Updated On January 2, 2013 Advisory Contact Mark Michelson <mmichelson AT digium DOT com> CVE Name CVE-2012-5976 Description Asterisk has several places where messages received over various network transports may be copied in a single stack allocation. In the case of TCP, since multiple packets in a stream may be concatenated together, this can lead to large allocations that overflow the stack. In the case of SIP, it is possible to do this before a session is established. Keep in mind that SIP over UDP is not affected by this vulnerability. With HTTP and XMPP, a session must first be established before the vulnerability may be exploited. The XMPP vulnerability exists both in the res_jabber.so module in Asterisk 1.8, 10, and 11 as well as the res_xmpp.so module in Asterisk 11. Resolution Stack allocations when using TCP have either been eliminated in favor of heap allocations or have had an upper bound placed on them to ensure that the stack will not overflow. For SIP, the allocation now has an upper limit. For HTTP, the allocation is now a heap allocation instead of a stack allocation. For XMPP, the allocation has been eliminated since it was unnecessary. Affected Versions Product Release Series Asterisk Open Source 1.8.x All versions Asterisk Open Source 10.x All versions Asterisk Open Source 11.x All versions Certified Asterisk 1.8.11 SIP: unaffected HTTP and XMPP: All versions Asterisk Digiumphones 10.x-digiumphones All versions Corrected In Product Release Asterisk Open Source 1.8.19.1, 10.11.1, 11.1.1 Certified Asterisk 1.8.11-cert10 Asterisk Digiumphones 10.11.1-digiumphones Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-014-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2012-014-10.diff Asterisk 10 http://downloads.asterisk.org/pub/security/AST-2012-014-11.diff Asterisk 11 Links https://issues.asterisk.org/jira/browse/ASTERISK-20658 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-014.pdf and http://downloads.digium.com/pub/security/AST-2012-014.html Revision History Date Editor Revisions Made 19 November, 2012 Mark Michelson Initial Draft 02 January, 2013 Matt Jordan Removed ABE from affected products Asterisk Project Security Advisory - AST-2012-014 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. - ------------------------------------------------------------------------------ Asterisk Project Security Advisory - AST-2012-015 Product Asterisk Summary Denial of Service Through Exploitation of Device State Caching Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated Sessions Severity Critical Exploits Known None Reported On 26 July, 2012 Reported By Russell Bryant Posted On 2 January, 2013 Last Updated On January 2, 2013 Advisory Contact Matt Jordan <mjordan AT digium DOT com> CVE Name CVE-2012-5977 Description Asterisk maintains an internal cache for devices. The device state cache holds the state of each device known to Asterisk, such that consumers of device state information can query for the last known state for a particular device, even if it is not part of an active call. The concept of a device in Asterisk can include things that do not have a physical representation. One way that this currently occurs is when anonymous calls are allowed in Asterisk. A device is automatically created and stored in the cache for each anonymous call that occurs; this is possible in the SIP and IAX2 channel drivers and through channel drivers that utilize the res_jabber/res_xmpp resource modules (Gtalk, Jingle, and Motif). Attackers exploiting this vulnerability can attack an Asterisk system configured to allow anonymous calls by varying the source of the anonymous call, continually adding devices to the device state cache and consuming a system's resources. Resolution Channels that are not associated with a physical device are no longer stored in the device state cache. This affects Local, DAHDI, SIP and IAX2 channels, and any channel drivers built on the res_jabber/res_xmpp resource modules (Gtalk, Jingle, and Motif). Affected Versions Product Release Series Asterisk Open Source 1.8.x All Versions Asterisk Open Source 10.x All Versions Asterisk Open Source 11.x All Versions Certified Asterisk 1.8.11 All Versions Asterisk Digiumphones 10.x-digiumphones All Versions Corrected In Product Release Asterisk Open Source 1.8.19.1, 10.11.1, 11.1.1 Certified Asterisk 1.8.11-cert10 Asterisk Digiumphones 10.11.1-digiumphones Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-015-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2012-015-10.diff Asterisk 10 http://downloads.asterisk.org/pub/security/AST-2012-015-11.diff Asterisk 11 Links https://issues.asterisk.org/jira/browse/ASTERISK-20175 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-015.pdf and http://downloads.digium.com/pub/security/AST-2012-015.html Revision History Date Editor Revisions Made 19 November 2012 Matt Jordan Initial Draft Asterisk Project Security Advisory - AST-2012-015 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUOt0ge4yVqjM2NGpAQLicBAAvo6iXodFPG7cmHnKsvlSOgw2Tt8rotWM X0PtVAsYlnRDvW5XIjZCfkLQrpWKnRbfcEjDGQUekMPbFlF0fKP0A0jpteCK0xTg 4z8yi+/PB8e21Q/bLT/hRrV/R+lOKCTlRW1VFODWGxqY22uGi0h/JpeQQUzj80u7 VGtMGhfKMrvjiwvsfTsCb+nlHIg628o7L8eAS9vIR9F+V30V+CgnbSBKrnUu5cRJ LyzkEWylt4a7CTqLE4PyXX3RufA4F3JU987N/X9uHVnGXkhzlp49Ex17R2FfXmE2 8f6xmD4JenLez/ZgQPAiKV9sduQ1GOb8q9t68i4gr+S4jseV2sfqLs92b6cF9uqr Dw2dPJavb1Vi9Bp8DWQE+Dc49FFV31DvSmCX3mdiefO6MDW+p4mL3GOgpFjhPXUF e5NSfmVCuYIZaiUcXEiFyF0vxqrIj7io+GAJvOABKwLMTEtUgZkWS525duKLgY2o ZdUCkGG6mpyh6elXUJ7sotg5SlJDkb4B2diTMccu0sA87D8PRSWY8fpnLnPTaa7Y EgD5hv9KfUHUnoqjJI0DYboisj3DqawCPNnYSAfl776Xy5c50shMPNlcHhozVyDt 8Akx/hRBSyDCtleJI9Y3V4dF9rOlEFp+hl3HeKdbBjoPaYbuefaACXD0+OBDFUSs K+outXf05fU= =mDvW -----END PGP SIGNATURE-----