Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.0586.2
Asterisk Project Security Advisory
12 March 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Asterisk
Publisher: Digium
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2018-1000099 CVE-2018-1000098 CVE-2018-7286
CVE-2018-7284
Original Bulletin:
http://downloads.asterisk.org/pub/security/AST-2018-002.html
http://downloads.asterisk.org/pub/security/AST-2018-003.html
http://downloads.asterisk.org/pub/security/AST-2018-004.html
http://downloads.asterisk.org/pub/security/AST-2018-005.html
Revision History: March 12 2018: Added CVEs to two advisories.
February 28 2018: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Asterisk Project Security Advisory - AST-2018-002
Product Asterisk
Summary Crash when given an invalid SDP media format description
Nature of Advisory Remote crash
Susceptibility Remote Authenticated Sessions
Severity Minor
Exploits Known No
Reported On January 15, 2018
Reported By Sandro Gauci
Posted On February 21, 2018
Last Updated On February 19, 2018
Advisory Contact Kevin Harwell <kharwell AT diguim DOT com>
CVE Name CVE-2018-1000098
Description By crafting an SDP message with an invalid media format description Asterisk
crashes when using the pjsip channel driver because pjproject's sdp parsing
algorithm fails to catch the invalid media format description.
The severity of this vulnerability is lessened since an endpoint must be
authenticated prior to reaching the crash point, or it's configured with no
authentication.
Resolution Stricter validation is now done when pjproject parses an SDP's media format
description. Invalid values are now properly handled.
Affected Versions
Product Release
Series
Asterisk Open Source 13.x All Releases
Asterisk Open Source 14.x All Releases
Asterisk Open Source 15.x All Releases
Certified Asterisk 13.18 All Releases
Corrected In
Product Release
Asterisk Open Source 13.19.2, 14.7.6, 15.2.2
Certified Asterisk 13.18-cert3
Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/ Asterisk 13
AST-2018-002-13.diff
http://downloads.asterisk.org/pub/security/ Asterisk 14
AST-2018-002-14.diff
http://downloads.asterisk.org/pub/security/ Asterisk 15
AST-2018-002-15.diff
http://downloads.asterisk.org/pub/security/ Certified Asterisk 13.18
AST-2018-002-13.18.diff
Links https://issues.asterisk.org/jira/browse/ASTERISK-27582
Asterisk Project Security Advisories are posted at http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest version
will be posted at http://downloads.digium.com/pub/security/AST-2018-002.pdf and
http://downloads.digium.com/pub/security/AST-2018-002.html
Revision History
Date Editor Revisions Made
January 30, 2018 Kevin Harwell Initial Revision
Asterisk Project Security Advisory - AST-2018-002
Copyright (C) 2018 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
- ----------------------------------------------------------------------------------
Asterisk Project Security Advisory - AST-2018-003
Product Asterisk
Summary Crash with an invalid SDP fmtp attribute
Nature of Advisory Remote crash
Susceptibility Remote Authenticated Sessions
Severity Minor
Exploits Known No
Reported On January 15, 2018
Reported By Sandro Gauci
Posted On February 21, 2018
Last Updated On February 19, 2018
Advisory Contact Kevin Harwell <kharwell AT diguim DOT com>
CVE Name CVE-2018-1000099
Description By crafting an SDP message body with an invalid fmtp attribute Asterisk crashes
when using the pjsip channel driver because pjproject's fmtp retrieval function
fails to check if fmtp value is empty (set empty if previously parsed as
invalid).
The severity of this vulnerability is lessened since an endpoint must be
authenticated prior to reaching the crash point, or it's configured with no
authentication.
Resolution A stricter check is now done when pjproject retrieves the fmtp attribute. Empty
values are now properly handled.
Affected Versions
Product Release
Series
Asterisk Open Source 13.x All Releases
Asterisk Open Source 14.x All Releases
Asterisk Open Source 15.x All Releases
Certified Asterisk 13.18 All Releases
Corrected In
Product Release
Asterisk Open Source 13.19.2, 14.7.6, 15.2.2
Certified Asterisk 13.18-cert3
Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/ Asterisk 13
AST-2018-003-13.diff
http://downloads.asterisk.org/pub/security/ Asterisk 14
AST-2018-003-14.diff
http://downloads.asterisk.org/pub/security/ Asterisk 15
AST-2018-003-15.diff
http://downloads.asterisk.org/pub/security/ Certified Asterisk 13.18
AST-2018-003-13.18.diff
Links https://issues.asterisk.org/jira/browse/ASTERISK-27583
Asterisk Project Security Advisories are posted at http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest version
will be posted at http://downloads.digium.com/pub/security/AST-2018-003.pdf and
http://downloads.digium.com/pub/security/AST-2018-003.html
Revision History
Date Editor Revisions Made
January 30, 2018 Kevin Harwell Initial Revision
Asterisk Project Security Advisory - AST-2018-003
Copyright (C) 2018 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
- ----------------------------------------------------------------------------------
Asterisk Project Security Advisory - AST-2018-004
Product Asterisk
Summary Crash when receiving SUBSCRIBE request
Nature of Advisory Remote Crash
Susceptibility Remote Unauthenticated Sessions
Severity Major
Exploits Known No
Reported On January 30, 2018
Reported By Sandro Gauci
Posted On February 21, 2018
Last Updated On February 21, 2018
Advisory Contact Joshua Colp <jcolp AT digium DOT com>
CVE Name CVE-2018-7284
Description When processing a SUBSCRIBE request the res_pjsip_pubsub module stores the
accepted formats present in the Accept headers of the request. This code did
not limit the number of headers it processed despite having a fixed limit of
32. If more than 32 Accept headers were present the code would write outside of
its memory and cause a crash.
Resolution The res_pjsip_pubsub module has been changed to enforce a limit on the maximum
number of Accept headers it will process. To receive this change upgrade to the
version of Asterisk where this is resolved or apply the appropriate provided
patch.
Affected Versions
Product Release
Series
Asterisk Open Source 13.x All versions
Asterisk Open Source 14.x All versions
Asterisk Open Source 15.x All versions
Certified Asterisk 13.18 All versions
Corrected In
Product Release
Asterisk Open Source 13.19.2, 14.7.6, 15.2.2
Certified Asterisk 13.18-cert3
Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/ Asterisk 13
AST-2018-004-13.diff
http://downloads.asterisk.org/pub/security/ Asterisk 14
AST-2018-004-14.diff
http://downloads.asterisk.org/pub/security/ Asterisk 15
AST-2018-004-15.diff
http://downloads.asterisk.org/pub/security/ Certified Asterisk 13.18
AST-2018-004-13.18.diff
Links https://issues.asterisk.org/jira/browse/ASTERISK-27640
Asterisk Project Security Advisories are posted at http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest version
will be posted at http://downloads.digium.com/pub/security/AST-2018-004.pdf and
http://downloads.digium.com/pub/security/AST-2018-004.html
Revision History
Date Editor Revisions Made
February 5, 2018 Joshua Colp Initial Revision
February 21, 2018 Joshua Colp Added CVE
Asterisk Project Security Advisory - AST-2018-004
Copyright (C) 2018 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
- ----------------------------------------------------------------------------------
Asterisk Project Security Advisory - AST-2018-005
Product Asterisk
Summary Crash when large numbers of TCP connections are closed suddenly
Nature of Advisory Remote Crash
Susceptibility Remote Authenticated Sessions
Severity Moderate
Exploits Known No
Reported On January 24, 2018
Reported By Sandro Gauci
Posted On February 21, 2018
Last Updated On February 21, 2018
Advisory Contact gjoseph AT digium DOT com
CVE Name CVE-2018-7286
Description A crash occurs when a number of authenticated INVITE messages are sent over TCP
or TLS and then the connection is suddenly closed. This issue leads to a
segmentation fault.
Resolution A patch to asterisk is available that prevents the crash by locking the
underlying transport until a response is sent.
Affected Versions
Product Release
Series
Asterisk Open Source 13.x All Versions
Asterisk Open Source 14.x All Versions
Asterisk Open Source 15.x All Versions
Certified Asterisk 13.18 All Versions
Corrected In
Product Release
Asterisk Open Source 13.19.2, 14.7.6, 15.2.2
Certified Asterisk 13.18-cert3
Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/ Asterisk 13
AST-2018-005-13.diff
http://downloads.asterisk.org/pub/security/ Asterisk 14
AST-2018-005-14.diff
http://downloads.asterisk.org/pub/security/ Asterisk 15
AST-2018-005-15.diff
http://downloads.asterisk.org/pub/security/ Certified Asterisk 13.18
AST-2018-005-13.18.diff
Links https://issues.asterisk.org/jira/browse/ASTERISK-27618
http://downloads.asterisk.org/pub/security/AST-2018-005.html
Asterisk Project Security Advisories are posted at http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest version
will be posted at http://downloads.digium.com/pub/security/AST-2018-005.pdf and
http://downloads.digium.com/pub/security/AST-2018-005.html
Revision History
Date Editor Revisions Made
February 6, 2018 George Joseph Initial Revision
Asterisk Project Security Advisory - AST-2018-005
Copyright (C) 2018 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWqYUs4x+lLeg9Ub1AQgwMxAAmP2iZZWRdvnOt1yVG8rHPXDrb8+zRC84
3Pk5Had4ehwS8JOzAdBIlHPzTj7Hshk59phJjsZfj7xoxefnyEp96PIKo8BxUfG4
IjFQr5ZAs6M3R0U4+zYCPPpBxRDGWrpjDnZcPp7igmxhEvVJ/4OVwdjY9uRHvIhf
5FcnUPamTRI/iWVfS4F++83olWa4npw+AiiT3P1k3XEb9VM6GC4gyS7bp0ThiLP3
ioGSJeL31pDDWRZMLINr1IyzLhdTSJko40PGHkzQnD5wlSsjX+HNkaz2Ot1p863h
pCEoLJ+kyfsHhMmacsRyAwv/WAfWDroUExeV+uneUKU1Rc/9aw7HTNKTzLnsKPcA
hBUTxV4Y6i8M2xX9bedGJ0/AkWG1DzR27H9HZCFKUN1haYEnFD6mBQhFsJu1RHL5
hvwBFfxoTHvZSFm7Y3FmWcoVjAw6hkppmRRzEj4GedeNv3I/Vie5GoQE/kEJ0jgP
/CzLOszLj5Xh2lQmwWg1PwkkMPfWt8bV+EI8d6asxK7CiRdu1BKgLmNwO+w8sroC
gxERUYlTvSZMlLFbcu6TYz2TifLeRmP9/SalxT8jgOT+xoaIgCUPvYOvbALqp1Kl
IMwA/e+XuJZV+9nL13HFx874a2mNv38NwYG4/luUEfmMXfxqsm7upJdFT4t+JrJU
QqAu34NGV8c=
=1oap
-----END PGP SIGNATURE-----