Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

       AST-2019-005: A vulnerability has been identified in Asterisk
                             6 September 2019


        AusCERT Security Bulletin Summary

Product:           Asterisk
Publisher:         Asterisk
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Denial of Service -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-15639  

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Asterisk Project Security Advisory - AST-2019-005

       Product         Asterisk

       Summary         Remote Crash Vulnerability in audio transcoding

 Nature of Advisory    Denial of Service

   Susceptibility      Remote Unauthenticated Sessions

      Severity         Minor

   Exploits Known      No

     Reported On       August 7, 2019

     Reported By       Gregory Massel

      Posted On

   Last Updated On     August 26, 2019

  Advisory Contact     Jcolp AT sangoma DOT com

      CVE Name         CVE-2019-15639

     Description       When audio frames are given to the audio transcoding support in Asterisk the
                       number of samples are examined and as part of this a message is output to
                       indicate that no samples are present. A change was done to suppress this
                       message for a particular scenario in which the message was not relevant. This
                       change assumed that information about the origin of a frame will always exist
                       when in reality it may not.

                       This issue presented itself when an RTP packet containing no audio (and thus no
                       samples) was received. In a particular transcoding scenario this audio frame
                       would get turned into a frame with no origin information. If this new frame was
                       then given to the audio transcoding support a crash would occur as no samples
                       and no origin information would be present. The transcoding scenario requires
                       the   genericplc   option to be set to enabled (the default) and a transcoding
                       path from the source format into signed linear and then from signed linear into
                       another format.

                       Note that there may be other scenarios that have not been found which can cause
                       an audio frame with no origin to be given to the audio transcoding support and
                       thus cause a crash.

  Modules Affected     main/translate.c

     Resolution        The   genericplc   option can be disabled in codecs.conf to mitigate the
                       described scenario. It is recommended, however, that Asterisk be upgraded to
                       one of the listed versions or the linked patch applied to protect against
                       potential unknown scenarios.

                               Affected Versions

              Product                  Release

       Asterisk Open Source             13.x      13.28.0

       Asterisk Open Source             16.x      16.5.0

                                 Corrected In

                     Product                                             Release

               Asterisk Open Source                                      13.28.1

               Asterisk Open Source                                       16.5.1


                     SVN URL                                             Revision

http://downloads.asterisk.org/pub/security/         Asterisk 13

http://downloads.asterisk.org/pub/security/         Asterisk 16

        Links          https://issues.asterisk.org/jira/browse/ASTERISK-28499

Asterisk Project Security Advisories are posted at http://www.asterisk.org/

This document may be superseded by later versions; if so, the latest version
will be posted at http://downloads.digium.com/pub/security/ AST-2019-005 .pdf
and http://downloads.digium.com/pub/security/ AST-2019-005 .html

                               Revision History

       Date                   Editor                                Revisions Made

August 26, 2019      Joshua Colp                Initial revision

               Asterisk Project Security Advisory - AST-2019-005
              Copyright (C) 2019 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967