Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0586.2 Asterisk Project Security Advisory 12 March 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Asterisk Publisher: Digium Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-1000099 CVE-2018-1000098 CVE-2018-7286 CVE-2018-7284 Original Bulletin: http://downloads.asterisk.org/pub/security/AST-2018-002.html http://downloads.asterisk.org/pub/security/AST-2018-003.html http://downloads.asterisk.org/pub/security/AST-2018-004.html http://downloads.asterisk.org/pub/security/AST-2018-005.html Revision History: March 12 2018: Added CVEs to two advisories. February 28 2018: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Asterisk Project Security Advisory - AST-2018-002 Product Asterisk Summary Crash when given an invalid SDP media format description Nature of Advisory Remote crash Susceptibility Remote Authenticated Sessions Severity Minor Exploits Known No Reported On January 15, 2018 Reported By Sandro Gauci Posted On February 21, 2018 Last Updated On February 19, 2018 Advisory Contact Kevin Harwell <kharwell AT diguim DOT com> CVE Name CVE-2018-1000098 Description By crafting an SDP message with an invalid media format description Asterisk crashes when using the pjsip channel driver because pjproject's sdp parsing algorithm fails to catch the invalid media format description. The severity of this vulnerability is lessened since an endpoint must be authenticated prior to reaching the crash point, or it's configured with no authentication. Resolution Stricter validation is now done when pjproject parses an SDP's media format description. Invalid values are now properly handled. Affected Versions Product Release Series Asterisk Open Source 13.x All Releases Asterisk Open Source 14.x All Releases Asterisk Open Source 15.x All Releases Certified Asterisk 13.18 All Releases Corrected In Product Release Asterisk Open Source 13.19.2, 14.7.6, 15.2.2 Certified Asterisk 13.18-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/ Asterisk 13 AST-2018-002-13.diff http://downloads.asterisk.org/pub/security/ Asterisk 14 AST-2018-002-14.diff http://downloads.asterisk.org/pub/security/ Asterisk 15 AST-2018-002-15.diff http://downloads.asterisk.org/pub/security/ Certified Asterisk 13.18 AST-2018-002-13.18.diff Links https://issues.asterisk.org/jira/browse/ASTERISK-27582 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2018-002.pdf and http://downloads.digium.com/pub/security/AST-2018-002.html Revision History Date Editor Revisions Made January 30, 2018 Kevin Harwell Initial Revision Asterisk Project Security Advisory - AST-2018-002 Copyright (C) 2018 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. - ---------------------------------------------------------------------------------- Asterisk Project Security Advisory - AST-2018-003 Product Asterisk Summary Crash with an invalid SDP fmtp attribute Nature of Advisory Remote crash Susceptibility Remote Authenticated Sessions Severity Minor Exploits Known No Reported On January 15, 2018 Reported By Sandro Gauci Posted On February 21, 2018 Last Updated On February 19, 2018 Advisory Contact Kevin Harwell <kharwell AT diguim DOT com> CVE Name CVE-2018-1000099 Description By crafting an SDP message body with an invalid fmtp attribute Asterisk crashes when using the pjsip channel driver because pjproject's fmtp retrieval function fails to check if fmtp value is empty (set empty if previously parsed as invalid). The severity of this vulnerability is lessened since an endpoint must be authenticated prior to reaching the crash point, or it's configured with no authentication. Resolution A stricter check is now done when pjproject retrieves the fmtp attribute. Empty values are now properly handled. Affected Versions Product Release Series Asterisk Open Source 13.x All Releases Asterisk Open Source 14.x All Releases Asterisk Open Source 15.x All Releases Certified Asterisk 13.18 All Releases Corrected In Product Release Asterisk Open Source 13.19.2, 14.7.6, 15.2.2 Certified Asterisk 13.18-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/ Asterisk 13 AST-2018-003-13.diff http://downloads.asterisk.org/pub/security/ Asterisk 14 AST-2018-003-14.diff http://downloads.asterisk.org/pub/security/ Asterisk 15 AST-2018-003-15.diff http://downloads.asterisk.org/pub/security/ Certified Asterisk 13.18 AST-2018-003-13.18.diff Links https://issues.asterisk.org/jira/browse/ASTERISK-27583 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2018-003.pdf and http://downloads.digium.com/pub/security/AST-2018-003.html Revision History Date Editor Revisions Made January 30, 2018 Kevin Harwell Initial Revision Asterisk Project Security Advisory - AST-2018-003 Copyright (C) 2018 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. - ---------------------------------------------------------------------------------- Asterisk Project Security Advisory - AST-2018-004 Product Asterisk Summary Crash when receiving SUBSCRIBE request Nature of Advisory Remote Crash Susceptibility Remote Unauthenticated Sessions Severity Major Exploits Known No Reported On January 30, 2018 Reported By Sandro Gauci Posted On February 21, 2018 Last Updated On February 21, 2018 Advisory Contact Joshua Colp <jcolp AT digium DOT com> CVE Name CVE-2018-7284 Description When processing a SUBSCRIBE request the res_pjsip_pubsub module stores the accepted formats present in the Accept headers of the request. This code did not limit the number of headers it processed despite having a fixed limit of 32. If more than 32 Accept headers were present the code would write outside of its memory and cause a crash. Resolution The res_pjsip_pubsub module has been changed to enforce a limit on the maximum number of Accept headers it will process. To receive this change upgrade to the version of Asterisk where this is resolved or apply the appropriate provided patch. Affected Versions Product Release Series Asterisk Open Source 13.x All versions Asterisk Open Source 14.x All versions Asterisk Open Source 15.x All versions Certified Asterisk 13.18 All versions Corrected In Product Release Asterisk Open Source 13.19.2, 14.7.6, 15.2.2 Certified Asterisk 13.18-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/ Asterisk 13 AST-2018-004-13.diff http://downloads.asterisk.org/pub/security/ Asterisk 14 AST-2018-004-14.diff http://downloads.asterisk.org/pub/security/ Asterisk 15 AST-2018-004-15.diff http://downloads.asterisk.org/pub/security/ Certified Asterisk 13.18 AST-2018-004-13.18.diff Links https://issues.asterisk.org/jira/browse/ASTERISK-27640 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2018-004.pdf and http://downloads.digium.com/pub/security/AST-2018-004.html Revision History Date Editor Revisions Made February 5, 2018 Joshua Colp Initial Revision February 21, 2018 Joshua Colp Added CVE Asterisk Project Security Advisory - AST-2018-004 Copyright (C) 2018 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. - ---------------------------------------------------------------------------------- Asterisk Project Security Advisory - AST-2018-005 Product Asterisk Summary Crash when large numbers of TCP connections are closed suddenly Nature of Advisory Remote Crash Susceptibility Remote Authenticated Sessions Severity Moderate Exploits Known No Reported On January 24, 2018 Reported By Sandro Gauci Posted On February 21, 2018 Last Updated On February 21, 2018 Advisory Contact gjoseph AT digium DOT com CVE Name CVE-2018-7286 Description A crash occurs when a number of authenticated INVITE messages are sent over TCP or TLS and then the connection is suddenly closed. This issue leads to a segmentation fault. Resolution A patch to asterisk is available that prevents the crash by locking the underlying transport until a response is sent. Affected Versions Product Release Series Asterisk Open Source 13.x All Versions Asterisk Open Source 14.x All Versions Asterisk Open Source 15.x All Versions Certified Asterisk 13.18 All Versions Corrected In Product Release Asterisk Open Source 13.19.2, 14.7.6, 15.2.2 Certified Asterisk 13.18-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/ Asterisk 13 AST-2018-005-13.diff http://downloads.asterisk.org/pub/security/ Asterisk 14 AST-2018-005-14.diff http://downloads.asterisk.org/pub/security/ Asterisk 15 AST-2018-005-15.diff http://downloads.asterisk.org/pub/security/ Certified Asterisk 13.18 AST-2018-005-13.18.diff Links https://issues.asterisk.org/jira/browse/ASTERISK-27618 http://downloads.asterisk.org/pub/security/AST-2018-005.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2018-005.pdf and http://downloads.digium.com/pub/security/AST-2018-005.html Revision History Date Editor Revisions Made February 6, 2018 George Joseph Initial Revision Asterisk Project Security Advisory - AST-2018-005 Copyright (C) 2018 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWqYUs4x+lLeg9Ub1AQgwMxAAmP2iZZWRdvnOt1yVG8rHPXDrb8+zRC84 3Pk5Had4ehwS8JOzAdBIlHPzTj7Hshk59phJjsZfj7xoxefnyEp96PIKo8BxUfG4 IjFQr5ZAs6M3R0U4+zYCPPpBxRDGWrpjDnZcPp7igmxhEvVJ/4OVwdjY9uRHvIhf 5FcnUPamTRI/iWVfS4F++83olWa4npw+AiiT3P1k3XEb9VM6GC4gyS7bp0ThiLP3 ioGSJeL31pDDWRZMLINr1IyzLhdTSJko40PGHkzQnD5wlSsjX+HNkaz2Ot1p863h pCEoLJ+kyfsHhMmacsRyAwv/WAfWDroUExeV+uneUKU1Rc/9aw7HTNKTzLnsKPcA hBUTxV4Y6i8M2xX9bedGJ0/AkWG1DzR27H9HZCFKUN1haYEnFD6mBQhFsJu1RHL5 hvwBFfxoTHvZSFm7Y3FmWcoVjAw6hkppmRRzEj4GedeNv3I/Vie5GoQE/kEJ0jgP /CzLOszLj5Xh2lQmwWg1PwkkMPfWt8bV+EI8d6asxK7CiRdu1BKgLmNwO+w8sroC gxERUYlTvSZMlLFbcu6TYz2TifLeRmP9/SalxT8jgOT+xoaIgCUPvYOvbALqp1Kl IMwA/e+XuJZV+9nL13HFx874a2mNv38NwYG4/luUEfmMXfxqsm7upJdFT4t+JrJU QqAu34NGV8c= =1oap -----END PGP SIGNATURE-----