Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.0302 Asterisk Project Security Advisories 5 February 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Asterisk Publisher: Digium Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2011-3389 Reference: ASB-2015.0070 ASB-2015.0009 ASB-2013.0113 ESB-2012.0114 ESB-2011.1033 ESB-2011.1032 ESB-2011.0979 Original Bulletin: http://downloads.digium.com/pub/security/AST-2016-001.html http://downloads.digium.com/pub/security/AST-2016-002.html http://downloads.digium.com/pub/security/AST-2016-003.html Comment: This bulletin contains three (3) Digium security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Asterisk Project Security Advisory - AST-2016-001 Product Asterisk Summary BEAST vulnerability in HTTP server Nature of Advisory Unauthorized data disclosure due to man-in-the-middle attack Susceptibility Remote unauthenticated sessions Severity Minor Exploits Known Yes Reported On 04/15/15 Reported By Alex A. Welzl Posted On 02/03/16 Last Updated On February 3, 2016 Advisory Contact Joshua Colp <jcolp AT digium DOT com> CVE Name Pending Description The Asterisk HTTP server currently has a default configuration which allows the BEAST vulnerability to be exploited if the TLS functionality is enabled. This can allow a man-in-the-middle attack to decrypt data passing through it. Resolution Additional configuration options have been added to Asterisk which allow configuration of the HTTP server to not be susceptible to the BEAST vulnerability. These include options to confirm the permitted ciphers, to control what TLS protocols are allowed, and to use server cipher preference order instead of client preference order. The default configuration has also been changed for the HTTP server to use a configuration which is not susceptible to the BEAST vulnerability. Affected Versions Product Release Series Asterisk Open Source 1.8.x All Versions Asterisk Open Source 11.x All Versions Asterisk Open Source 12.x All Versions Asterisk Open Source 13.x All Versions Certified Asterisk 1.8.28 All Versions Certified Asterisk 11.6 All Versions Certified Asterisk 13.1 All Versions Corrected In Product Release Asterisk Open Source 11.21.1, 13.7.1 Certified Asterisk 11.6-cert12, 13.1-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2016-001-1.8.28.diff Certified Asterisk 1.8.28 http://downloads.asterisk.org/pub/security/AST-2016-001-11.6.diff Certified Asterisk 11.6 http://downloads.asterisk.org/pub/security/AST-2016-001-13.1.diff Certified Asterisk 13.1 http://downloads.asterisk.org/pub/security/AST-2016-001-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2016-001-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2016-001-13.diff Asterisk 13 Links https://issues.asterisk.org/jira/browse/ASTERISK-24972 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2016-001.pdf and http://downloads.digium.com/pub/security/AST-2016-001.html Revision History Date Editor Revisions Made 3 August, 2015 Joshua Colp Initial creation of document Asterisk Project Security Advisory - AST-2016-001 Copyright (c) 2015 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. - ------------------------------------------------------------------------------ Asterisk Project Security Advisory - AST-2016-002 Product Asterisk Summary File descriptor exhaustion in chan_sip Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated Sessions Severity Minor Exploits Known Yes Reported On September 17, 2015 Reported By Alexander Traud Posted On February 3, 2016 Last Updated On February 3, 2016 Advisory Contact Richard Mudgett <rmudgett AT digium DOT com> CVE Name Pending Description Setting the sip.conf timert1 value to a value higher than 1245 can cause an integer overflow and result in large retransmit timeout times. These large timeout values hold system file descriptors hostage and can cause the system to run out of file descriptors. Resolution Setting the sip.conf timert1 value to 1245 or lower will not exhibit the vulnerability. The default timert1 value is 500. Asterisk has been patched to detect the integer overflow and calculate the previous retransmission timer value. Affected Versions Product Release Series Asterisk Open Source 1.8.x All versions Asterisk Open Source 11.x All versions Asterisk Open Source 12.x All versions Asterisk Open Source 13.x All versions Certified Asterisk 1.8.28 All versions Certified Asterisk 11.6 All versions Certified Asterisk 13.1 All versions Corrected In Product Release Asterisk Open Source 11.21.1, 13.7.1 Certified Asterisk 11.6-cert12, 13.1-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2016-002-1.8.28.diff Certified Asterisk 1.8.28 http://downloads.asterisk.org/pub/security/AST-2016-002-11.6.diff Certified Asterisk 11.6 http://downloads.asterisk.org/pub/security/AST-2016-002-13.1.diff Certified Asterisk 13.1 http://downloads.asterisk.org/pub/security/AST-2016-002-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2016-002-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2016-002-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2016-002-13.diff Asterisk 13 Links https://issues.asterisk.org/jira/browse/ASTERISK-25397 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2016-002.pdf and http://downloads.digium.com/pub/security/AST-2016-002.html Revision History Date Editor Revisions Made September 29, 2015 Richard Mudgett Initial document created Asterisk Project Security Advisory - AST-2016-002 Copyright (c) 2015 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. - ------------------------------------------------------------------------------ Asterisk Project Security Advisory - AST-2016-003 Product Asterisk Summary Remote crash vulnerability when receiving UDPTL FAX data. Nature of Advisory Denial of Service Susceptibility Remote Authenticated Sessions Severity Minor Exploits Known Yes Reported On December 2, 2015 Reported By Walter Dokes, Torrey Searle Posted On February 3, 2016 Last Updated On February 3, 2016 Advisory Contact Richard Mudgett <rmudgett AT digium DOT com> CVE Name Pending Description If no UDPTL packets are lost there is no problem. However, a lost packet causes Asterisk to use the available error correcting redundancy packets. If those redundancy packets have zero length then Asterisk uses an uninitialized buffer pointer and length value which can cause invalid memory accesses later when the packet is copied. Resolution Upgrade to a released version with the fix incorporated or apply patch. Affected Versions Product Release Series Asterisk Open Source 1.8.x All versions Asterisk Open Source 11.x All versions Asterisk Open Source 12.x All versions Asterisk Open Source 13.x All versions Certified Asterisk 1.8.28 All versions Certified Asterisk 11.6 All versions Certified Asterisk 13.1 All versions Corrected In Product Release Asterisk Open Source 11.21.1, 13.7.1 Certified Asterisk 11.6-cert12, 13.1-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2016-003-1.8.28.diff Certified Asterisk 1.8.28 http://downloads.asterisk.org/pub/security/AST-2016-003-11.6.diff Certified Asterisk 11.6 http://downloads.asterisk.org/pub/security/AST-2016-003-13.1.diff Certified Asterisk 13.1 http://downloads.asterisk.org/pub/security/AST-2016-003-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2016-003-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2016-003-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2016-003-13.diff Asterisk 13 Links https://issues.asterisk.org/jira/browse/ASTERISK-25603 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2016-003.pdf and http://downloads.digium.com/pub/security/AST-2016-003.html Revision History Date Editor Revisions Made December 7, 2015 Richard Mudgett Initial document created Asterisk Project Security Advisory - AST-2016-003 Copyright (c) 2015 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVrQrc36ZAP0PgtI9AQJXqBAAiW5DMrgoUs/Zk6Lhe0X4HlC8zDG2G1ns svWAtJFu1GGr2JG7VutwQyneP3pXaBL0YddNxa/Q1SFZzHdgw+01quv2Cx10iFx8 m9bUrviPxVvMOFOIpBhz2gPK/qFHNVPV9bMfNP4fCeVDtBNxhUzfoQJ8En7AR8y2 lmlM61pLuAsG1TrtzCmvHgzsss+Fn8U3LEFhgSbkrnXWNKV0glO/1UhYk9PyY6gk nqQjijYHdNSALp1deXXQxSe2x/nvu0MNY23Kq3Ll7nIsHEjEw6ZSlCX8aqn/UMmP k/CVWfzNgz4m6A5LnctwlzhqBjTcUV8BVmj26iNfZ7+A19adew3uBl5zkuhAHK8/ hsacppo5FqQyaRTozTPWkKKMX7EgkjUu/spOoUMN0UQyhWKX2sOsM3/dI5x4cRw0 tw32KIN9SKmI6sWoYfcpMVL3SD4HaJDHjFmCsxvB5lnb642FRqRPv1St4/lbo5kY pkRF+5J8b3259/E560KuO0jM5JyWE8VS4kgBZnJy8Jdf/MX5F5n8m8tv6yZaoo3f NZpOMDVDIr8oWLKQ1rkObFdcMpOKBr+Z3JJU3EYiAsoPvFeCp4Qx90RThSdDKLne yexR/HPjxL6olv98YxMyrRJXOiyoedQ43mW/TbE1i14+uuZpJWxhz5iqI9bFvEc7 JGWKctRiauA= =didZ -----END PGP SIGNATURE-----