Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1815.2
A number of vulnerabilities have been identified in Asterisk products
6 January 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Asterisk
Publisher: Digium
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Increased Privileges -- Existing Account
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-7100
Original Bulletin:
http://downloads.digium.com/pub/security/AST-2013-006.html
http://downloads.digium.com/pub/security/AST-2013-007.html
Comment: This bulletin contains two (2) Digium security advisories.
Revision History: January 6 2014: Added CVE for bulletin AST-2013-006
December 18 2013: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Asterisk Project Security Advisory - AST-2013-006
Product Asterisk
Summary Buffer Overflow when receiving odd length 16 bit SMS
message
Nature of Advisory Buffer Overflow and Remote Crash
Susceptibility Remote SMS Messages
Severity Major
Exploits Known None
Reported On September 26, 2013
Reported By Jan Juergens
Posted On December 16, 2013
Last Updated On December 16, 2013
Advisory Contact Scott Griepentrog <sgriepentrog AT digium DOT com>
CVE Name CVE-2013-7100
Description A 16 bit SMS message that contains an odd message length
value will cause the message decoding loop to run forever.
The message buffer is not on the stack but will be
overflowed resulting in corrupted memory and an immediate
crash.
Resolution This patch corrects the evaluation of the message length
indicator, ensuring that the message decoding loop will stop
at the end of the received message.
Thanks to Jan Juergens for finding, reporting, testing, and
providing a fix for this problem.
Affected Versions
Product Release Series
Asterisk Open Source 1.8.x All Versions
Asterisk Open Source 10.x All Versions
Asterisk with Digiumphones 10.x-digiumphones All Versions
Asterisk Open Source 11.x All Versions
Certified Asterisk 1.8.x All Versions
Certified Asterisk 11.x All Versions
Corrected In
Product Release
Asterisk Open Source 1.8.24.1, 10.12.4, 11.6.1
Asterisk with Digiumphones 10.12.4-digiumphones
Certified Asterisk 1.8.15-cert4, 11.2-cert3
Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2013-006-1.8.diff Asterisk 1.8
http://downloads.asterisk.org/pub/security/AST-2013-006-10.diff Asterisk 10
http://downloads.asterisk.org/pub/security/AST-2013-006-10-digiumphones.diff Asterisk
10-digiumphones
http://downloads.asterisk.org/pub/security/AST-2013-006-11.diff Asterisk 11
http://downloads.asterisk.org/pub/security/AST-2013-006-1.8.15.diff Certified
Asterisk 1.8.15
http://downloads.asterisk.org/pub/security/AST-2013-006-11.2.diff Certified
Asterisk 11.2
Links https://issues.asterisk.org/jira/browse/ASTERISK-22590
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2013-006.pdf and
http://downloads.digium.com/pub/security/AST-2013-006.html
Revision History
Date Editor Revisions Made
12/16/2013 Scott Griepentrog Initial Revision
Asterisk Project Security Advisory - AST-2013-006
Copyright (c) 2013 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
- -----------------------------------------------------------------------------
Asterisk Project Security Advisory - AST-2013-007
Product Asterisk
Summary Asterisk Manager User Dialplan Permission Escalation
Nature of Advisory Permission Escalation
Susceptibility Remote Authenticated Sessions
Severity Minor
Exploits Known None
Reported On November 25, 2013
Reported By Matt Jordan
Posted On December 16, 2013
Last Updated On December 16, 2013
Advisory Contact David Lee < dlee AT digium DOT com >
CVE Name Pending
Description External control protocols, such as the Asterisk Manager
Interface, often have the ability to get and set channel
variables; this allows the execution of dialplan functions.
Dialplan functions within Asterisk are incredibly powerful,
which is wonderful
for building applications using Asterisk. But during the
read or write execution, certain diaplan functions do much
more. For example, reading the SHELL() function can execute
arbitrary commands on the system Asterisk is running on.
Writing to the FILE() function can change any file that
Asterisk has write access to.
When these functions are executed from an external
protocol, that execution could result in a privilege
escalation.
Resolution Asterisk can now inhibit the execution of these functions
from external interfaces such as AMI, if live_dangerously in
the [options] section of asterisk.conf is set to no.
For backwards compatibility, live_dangerously defaults to
yes, and must be explicitly set to no to enable this
privilege escalation protection.
Affected Versions
Product Release Series
Asterisk Open Source 1.8.x All Versions
Asterisk Open Source 10.x All Versions
Asterisk with Digiumphones 10.x-digiumphones All Versions
Asterisk Open Source 11.x All Versions
Certified Asterisk 1.8.x All Versions
Certified Asterisk 11.x All Versions
Corrected In
Product Release
Asterisk Open Source 1.8.24.1, 10.12.4, 11.6.1
Asterisk with Digiumphones 10.12.4-digiumphones
Certified Asterisk 1.8.15-cert4, 11.2-cert3
Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2013-007-1.8.diff Asterisk 1.8
http://downloads.asterisk.org/pub/security/AST-2013-007-10.diff Asterisk 10
http://downloads.asterisk.org/pub/security/AST-2013-007-10-digiumphones.diff Asterisk
10-digiumphones
http://downloads.asterisk.org/pub/security/AST-2013-007-11.diff Asterisk 11
http://downloads.asterisk.org/pub/security/AST-2013-007-1.8.15.diff Certified
Asterisk 1.8.15
http://downloads.asterisk.org/pub/security/AST-2013-007-11.2.diff Certified
Asterisk 11.2
Links https://issues.asterisk.org/jira/browse/ASTERISK-22905
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2013-007.pdf and
http://downloads.digium.com/pub/security/AST-2013-007.html
Revision History
Date Editor Revisions Made
12/16/2013 Matt Jordan Initial Revision
Asterisk Project Security Advisory - AST-2013-007
Copyright (c) 2013 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUsn3kRLndAQH1ShLAQJaYg//dZvf8TfioP9GY7IhPrrVZ4BWxOQu8p/L
5g+UxthG+HJzdlAkiSsfnIUXpnI6lcUAHVmHi+bPN2IXeqzVAKN/i8aMi3v3o5Lf
dIAGwQPyQYSZj+2Bw8anEYw+R+CqOPG3rWfG8KaGRSv7bzDSrMwIZrNLavBHDE/X
teEbBIfSaAfytss6I0qiReVCuWwd245aDLtvccEaNW9O1HNMDEBcptXL6PdQ3iM0
hq77UHAufCbnakDlngn2HqLi8F2A85q2soDHUwqVUKyoWA7PvtMb+6pBOXDKEICq
17MQQXpUk29FSrK5twRmFPB3bFPbyAxbN+pIXSWOAwe7OeO/gykWPejc3QywjQbv
0ruoOux+r6j8fcixaVdldebDg5oxrRGqgVf3D9xLDm3l3+V4a2cLgbflRb7uwywv
jIksMmuYEcGDNoKJwbBQ09sq4SYfXSHBmPnw1SSRXpzLE+Bp0yp42Md2hW4KjziQ
B2GEMrzt/N0nhQCUWZw0ThEgSLfaoXcF8bDktNfVfDUMg8vqWypqhdBXXKIxYBHt
r08ZtuJ3TAAFkTjiud/QBf115J1M9h2ceuQsWO10eU5uzg0fBNuzY4ZQW3+XmJQW
GRbNDpnCr+8U8J88wQBYGb0PKyeU4eRPUY4IXwn594DaSiGprJgWUD/wH/xf8mtB
EvuM4YM1hBM=
=M95z
-----END PGP SIGNATURE-----