Operating System:

[WIN][UNIX/Linux]

Published:

19 September 2014

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ESB-2014.1626 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1626
             Asterisk Project Security Advisory - AST-2014-010
                             19 September 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Asterisk
Publisher:         Digium
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-6610  

Original Bulletin: 
   http://downloads.asterisk.org/pub/security/AST-2014-010.html

- --------------------------BEGIN INCLUDED TEXT--------------------

Asterisk Project Security Advisory - AST-2014-010

Product

Asterisk

Summary

Remote crash when handling out of call message in certain dialplan 
configurations

Nature of Advisory

Remotely triggered crash of Asterisk

Susceptibility

Remote authenticated sessions

Severity

Minor

Exploits Known

No

Reported On

05 September 2014

Reported By

Philippe Lindheimer

Posted On

18 September 2014

Last Updated On

September 18, 2014

Advisory Contact

Matt Jordan <mjordan AT digium DOT com>

CVE Name

CVE-2014-6610

Description

When an out of call message delivered by either the SIP or PJSIP channel 
driver or the XMPP stack - is handled in Asterisk, a crash can occur if the 
channel servicing the message is sent into the ReceiveFax dialplan application
while using the res_fax_spandsp module.

Note that this crash does not occur when using the res_fax_digium module.

While this crash technically occurs due to a configuration issue, as 
attempting to receive a fax from a channel driver that only contains textual 
information will never succeed, the likelihood of having it occur is 
sufficiently high as to warrant this advisory.

Resolution

The fax family of applications have been updated to handle the Message channel
driver correctly. Users using the fax family of applications along with the 
out of call text messaging features are encouraged to upgrade their versions 
of Asterisk to the versions specified in this security advisory.

Additionally, users of Asterisk are encouraged to use a separate dialplan 
context to process text messages. This avoids issues where the Message channel
driver is passed to dialplan applications that assume a media stream is 
available. Note that the various channel drivers and stacks provide such an 
option; an example being the SIP channel driver's outofcall_message_context 
option.

Affected Versions

Product			Release Series

Asterisk Open Source	11.x		All versions

Asterisk Open Source	12.x		All versions

Certified Asterisk	11.6		All versions

Corrected In

Product			Release

Asterisk Open Source	11.12.1, 12.5.1

Certified Asterisk	11.6-cert6

Patches

SVN URL									Revision

http://downloads.asterisk.org/pub/security/AST-2014-010-11.diff		Asterisk 11

http://downloads.asterisk.org/pub/security/AST-2014-010-12.diff		Asterisk 12

http://downloads.asterisk.org/pub/security/AST-2014-010-11.6.diff	Certified Asterisk 11.6

Links

https://issues.asterisk.org/jira/browse/ASTERISK-24301

Asterisk Project Security Advisories are posted at 
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version 
will be posted at http://downloads.digium.com/pub/security/AST-2014-010.pdf 
and http://downloads.digium.com/pub/security/AST-2014-010.html

Revision History

Date			Editor		Revisions Made

18 September, 2014	Matt Jordan	Initial Draft

18 September, 2014	Matt Jordan	Added CVE

Asterisk Project Security Advisory - AST-2014-010 

Copyright 2014 Digium, Inc.

All Rights Reserved. Permission is hereby granted to distribute and publish 
this advisory in its original, unaltered form.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVBuqTxLndAQH1ShLAQLQTw/9EFHocEypYpQesuyhIthMUaHN/nIs0GbG
LbCN+ycl9ORvSbTXN+niG6/ceGZEzdW7fmIs53SqFTuUINgqp9KiLwlXrmUGYRuE
2Eab1p0KPKTXuq3cMhDbTbZnsbQvRWLnEVhd6GuPtPTRTQoxzyq5Hp0SVJhr1Eiw
OkIyx+1ansLE/0e6XGPQTXbWcFaRuwaX7wcWo7bwq3BYOUsIbl2FOh+moyGWasjs
+ClKl3/t/A0Lxekfa5HLJBsKgTdbu+ZYQs4NquYJjAxU6Ri7qXUb/aKqzhj/Scw4
d5td3BnNpItuaRooAowi0vaEjY5i42C4ZymNuBUG+tNHQkLkBRI05aG5upGW6Ttq
WyfU7wAaXirRfki4ab/9cBSkQ6Fn94Z6dhn694NrRVVoSyBLGxELalStntRG6DKa
cpZPoC9HktBp/7uYrupvGtzP833Loey/zeRGqbtrBkPzr5Q1f2EugqXRUgibXbZ1
98W2TuMR6sbHqslmTGdOVs8jvPUC9Cf+DmfxY71dCimg++g1iVcUTD+6yXuaCRvM
lPw2dU9/kCsB+qYyaNzeTc3coQo6CHUqi9xbJvORuULcOLJ6pyCOx8TkEkK2R8hT
vS4hyQLmeGxbpSGk9AfkWO2ihPwH8rRlYKlxVqeXRMOq2oJ5Op9E/qrT1Tq9FC9k
PEdr/AdyXRk=
=XX5e
-----END PGP SIGNATURE-----