Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.0232 Asterisk Project Security Advisory - AST-2015-001 30 January 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Asterisk Publisher: Digium Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2014-8150 Reference: ESB-2015.0042 Original Bulletin: http://downloads.digium.com/pub/security/AST-2015-001.html http://downloads.asterisk.org/pub/security/AST-2015-002.html Comment: This bulletin contains two (2) Digium security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Asterisk Project Security Advisory - AST-2015-001 Product Asterisk Summary File descriptor leak when incompatible codecs are offered Nature of Advisory Resource exhaustion Susceptibility Remote Authenticated Sessions Severity Major Exploits Known No Reported On 6 January, 2015 Reported By Y Ateya Posted On 9 January, 2015 Last Updated On January 28, 2015 Advisory Contact Mark Michelson <mmichelson AT digium DOT com> CVE Name Pending Description Asterisk may be configured to only allow specific audio or video codecs to be used when communicating with a particular endpoint. When an endpoint sends an SDP offer that only lists codecs not allowed by Asterisk, the offer is rejected. However, in this case, RTP ports that are allocated in the process are not reclaimed. This issue only affects the PJSIP channel driver in Asterisk. Users of the chan_sip channel driver are not affected. As the resources are allocated after authentication, this issue only affects communications with authenticated endpoints. Resolution The reported leak has been patched. Affected Versions Product Release Series Asterisk Open Source 1.8.x Unaffected Asterisk Open Source 11.x Unaffected Asterisk Open Source 12.x All versions Asterisk Open Source 13.x All versions Certified Asterisk 1.8.28 Unaffected Certified Asterisk 11.6 Unaffected Corrected In Product Release Asterisk Open Source 12.8.1, 13.1.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2015-001-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2015-001-13.diff Asterisk 13 Links https://issues.asterisk.org/jira/browse/ASTERISK-24666 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2015-001.pdf and http://downloads.digium.com/pub/security/AST-2015-001.html Revision History Date Editor Revisions Made 9 January, 2015 Mark Michelson Initial creation Asterisk Project Security Advisory - AST-2015-001 Copyright (c) 2015 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. - ----------------------------------------------------------------------------- Asterisk Project Security Advisory - AST-2015-002 Product Asterisk Summary Mitigation for libcURL HTTP request injection vulnerability Nature of HTTP request injection Advisory Susceptibility Remote Authenticated Sessions Severity Major Exploits Known No Reported On 12 January, 2015 Reported By Olle Johansson Posted On January 12, 2015 Last Updated On January 28, 2015 Advisory Mark Michelson <mmichelson AT digium DOT com> Contact CVE Name N/A. Description CVE-2014-8150 reported an HTTP request injection vulnerability in libcURL. Asterisk uses libcURL in its func_curl.so module (the CURL() dialplan function), as well as its res_config_curl.so (cURL realtime backend) modules. Since Asterisk may be configured to allow for user-supplied URLs to be passed to libcURL, it is possible that an attacker could use Asterisk as an attack vector to inject unauthorized HTTP requests if the version of libcURL installed on the Asterisk server is affected by CVE-2014-8150. Resolution Asterisk has been patched with a similar patch as libcURL was for CVE-2014-8150. This means that carriage return and linefeed characters are forbidden from being in HTTP URLs that will be passed to libcURL. Affected Versions Product Release Series Asteris Open Source 1.8.x All versions Asterisk Open Source 11.x All versions Asterisk Open Source 12.x All versions Asterisk Open Source 13.x All versions Certified Asterisk 1.8.28 All versions Certified Asterisk 11.6 All versions Corrected In Product Release Asterisk Open Source 1.8.32.2, 11.15.1, 12.8.1, 13.1.1 Certified Asterisk 1.8.28-cert4, 11.6-cert10 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2015-002-1.8.28.diff Certified Asterisk 1.8.28 http://downloads.asterisk.org/pub/security/AST-2015-002-11.6.diff Certified Asterisk 11.6 http://downloads.asterisk.org/pub/security/AST-2015-002-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2015-002-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2015-002-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2015-002-13.diff Asterisk 13 Links https://issues.asterisk.org/jira/browse/ASTERISK-24676 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2015-002.pdf and http://downloads.digium.com/pub/security/AST-2015-002.html Revision History Date Editor Revisions Made 21 January, 2015 Mark Michelson Initial creation of document - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVMrxKhLndAQH1ShLAQK5ixAAvleaBRs+URIZj+QILXCk6ojVJMiReo4U wW3YJwqbDbkyj9UL+Uo5XJB+y17q8UF+YbI2onhC4fMAxExQUSsTFn671bbKqLxx D0mE+D/8tP1TAUen3nytrusu8ge3afPiiZaaCjHBj5ALxKt5GlVv4YVTfw4raG0f ZPkcodNicOZoRmTdOc9RyAHAyULn8LNidlQPY6tEBIfs2hoiCSRptB0jV2n9s3Qk C8Ru9EBwIGSQNh+/1zTG+ZN/uhfxOgu6Z6MdRN3YHzfJyAw6aE3tsunMcqqflh0E /zk/t2Z8DV2g1/nQyCi3AvJFir6o16Tcss1WT5rzBST8z423mH7tV6werxkkHD67 jLotJkyB5dTm9xPES8mXBy1sDdJvWhev1uKV+tPjHGFA5eKTB8WgtdTQgauw8pk3 ZDxSfYLjOnAA/fD5dLNOvhwZNA+DoiM0Z9ACv8HfixvlsN7IeRhFtFHER5wwo1KJ ziuq4LjOBs3PlzYXbIJqap2MAoTAyDz1Diblxxod+VgrTvY5mJzzz8sWENRPE18X 0gFiqBbHSP0plPhCMbjBcCaOQXxQdmMDuR+tuE+KpKFdKaLkfcZLALx1p2wrBuNJ CRtRkQ9zbYtCwEO6C4l7NR2mAX/SdjCApf18yKxFg4vsru4xufYwn/UzsN45nB/l s2LKXARjbXA= =BOuL -----END PGP SIGNATURE-----