Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4421
Asterisk Project Security Advisory
22 November 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Asterisk
Publisher: Asterisk
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-18976 CVE-2019-18790 CVE-2019-18610
Original Bulletin:
http://downloads.asterisk.org/pub/security/AST-2019-006.html
http://downloads.asterisk.org/pub/security/AST-2019-007.html
http://downloads.asterisk.org/pub/security/AST-2019-008.html
Comment: This bulletin contains three (3) security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Asterisk Project Security Advisory - AST-2019-006
Product Asterisk
Summary SIP request can change address of a SIP peer.
Nature of Advisory Denial of Service
Susceptibility Remote Unauthenticated Sessions
Severity Minor
Exploits Known No
Reported On October 17, 2019
Reported By Andrey V. T.
Posted On November 21, 2019
Last Updated On November 21, 2019
Advisory Contact bford AT sangoma DOT com
CVE Name CVE-2019-18790
Description A SIP request can be sent to Asterisk that can change a SIP peer s IP address.
A REGISTER does not need to occur, and calls can be hijacked as a result. The
only thing that needs to be known is the peer s name; authentication details
such as passwords do not need to be known. This vulnerability is only
exploitable when the nat option is set to the default, or
auto_force_rport .
Modules Affected channels/chan_sip.c
Resolution Using any other option value for nat will prevent the attack (such as nat
=no or nat=force_rport ), but will need to be tested on an individual
basis to ensure that it works for the user s deployment. On the fixed versions
of Asterisk, it will no longer set the address of the peer before
authentication is successful when a SIP request comes in.
Affected Versions
Product Release
Series
Asterisk Open Source 13.x All releases
Asterisk Open Source 16.x All releases
Asterisk Open Source 17.x All releases
Certified Asterisk 13.21 All releases
Corrected In
Product Release
Asterisk Open Source 13.29.2
Asterisk Open Source 16.6.2
Asterisk Open Source 17.0.1
Certified Asterisk 13.21-cert5
Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/ Asterisk 13
AST-2019-00 6 -13.diff
http://downloads.asterisk.org/pub/security/ Asterisk 16
AST-2019-00 6 -1 6 .diff
http://downloads.asterisk.org/pub/security/ Asterisk 17
AST-2019-00 6 -1 7 .diff
http://downloads.asterisk.org/pub/security/ Certified Asterisk 13.21-cert5
AST-2019-00 6 -13. 21 .diff
Links https://issues.asterisk.org/jira/browse/ASTERISK-28589
Asterisk Project Security Advisories are posted at http://www.asterisk.org/
security
This document may be superseded by later versions; if so, the latest version
will be posted at http://downloads.digium.com/pub/security/ AST-2019-006 .pdf
and http://downloads.digium.com/pub/security/ AST-2019-006 .html
Revision History
Date Editor Revisions Made
October 22, 2019 Ben Ford Initial Revision
November 14, 2019 Ben Ford Corrected and updated fields for versioning, and added
CVE
November 21, 2019 Ben Ford Added Posted On date
Asterisk Project Security Advisory - AST-2019-006
Copyright (C) 2019 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
===============================================================================
Asterisk Project Security Advisory - AST-2019-007
Product Asterisk
Summary AMI user could execute system commands.
Nature of Advisory Remote Code Execution
Susceptibility Remote Authenticated Sessions
Severity Minor
Exploits Known No
Reported On October 10, 2019
Reported By Eliel SardaA+-ons
Posted On November 21, 2019
Last Updated On November 21, 2019
Advisory Contact gjoseph AT digium DOT com
CVE Name CVE-2019-18610
Description A remote authenticated Asterisk Manager Interface (AMI) user without system
authorization could use a specially crafted Originate AMI request to
execute arbitrary system commands.
Modules Affected manager.c
Resolution The specific parameters of the Originate AMI request that allowed the remote
code execution are now blocked if the user does not have the system
authorization.
Affected Versions
Product Release
Series
Asterisk Open Source 13.x All releases
Asterisk Open Source 16.x All releases
Asterisk Open Source 17.x All releases
Certified Asterisk 13.21 All releases
Corrected In
Product Release
Asterisk Open Source 13.29.2
Asterisk Open Source 16.6.2
Asterisk Open Source 17.0.1
Certified Asterisk 13.21-cert5
Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/ Asterisk 13
AST-2019-00 7 -13.diff
http://downloads.asterisk.org/pub/security/ Asterisk 16
AST-2019-00 7 -1 6 .diff
http://downloads.asterisk.org/pub/security/ Asterisk 17
AST-2019-00 7 -1 7 .diff
http://downloads.asterisk.org/pub/security/ Certified Asterisk 13.21-cert5
AST-2019-00 7 -13. 21 .diff
Links https://issues.asterisk.org/jira/browse/ASTERISK-28580
Asterisk Project Security Advisories are posted at http://www.asterisk.org/
security
This document may be superseded by later versions; if so, the latest version
will be posted at http://downloads.digium.com/pub/security/ AST-2019-007 .pdf
and http://downloads.digium.com/pub/security/ AST-2019-007 .html
Revision History
Date Editor Revisions Made
October 24, 2019 George Joseph Initial Revision
November 21, 2019 Ben Ford Added Posted On date
Asterisk Project Security Advisory - AST-2019-007
Copyright (C) 2019 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
===============================================================================
Asterisk Project Security Advisory -
Product Asterisk
Summary Re-invite with T.38 and malformed SDP causes crash.
Nature of Advisory Remote Crash
Susceptibility Remote Authenticated Sessions
Severity Minor
Exploits Known No
Reported On November 07, 2019
Reported By Salah Ahmed
Posted On November 21, 2019
Last Updated On November 21, 2019
Advisory Contact bford AT sangoma DOT com
CVE Name CVE-2019-18976
Description If Asterisk receives a re-invite initiating T.38 faxing and has a port of 0 and
no c line in the SDP, a crash will occur.
Modules Affected res_pjsip_t38.c
Resolution If T.38 faxing is not needed, then the t38_udptl configuration option in
pjsip.conf can be set to no to disable the functionality. This option
automatically defaults to no and would have to be manually turned on to
experience this crash.
If T.38 faxing is needed, then Asterisk should be upgraded to a fixed version.
Affected Versions
Product Release
Series
Asterisk Open Source 13.x All versions
Certified Asterisk 13.21 All versions
Corrected In
Product Release
Asterisk Open Source 13.29.2
Certified Asterisk 13.21-cert5
Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/ Asterisk 13
AST-2019-00 8 -13.diff
http://downloads.asterisk.org/pub/security/ Certified Asterisk 13.21-cert5
AST-2019-00 8 -13. 21 .diff
Links https://issues.asterisk.org/jira/browse/ASTERISK-28612
Asterisk Project Security Advisories are posted at http://www.asterisk.org/
security
This document may be superseded by later versions; if so, the latest version
will be posted at http://downloads.digium.com/pub/security/ .pdf and http://
downloads.digium.com/pub/security/ .html
Revision History
Date Editor Revisions Made
November 12, 2019 Ben Ford Initial Revision
November 21, 2019 Ben Ford Added Posted On date
Asterisk Project Security Advisory -
Copyright (C) 2019 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXddIPWaOgq3Tt24GAQj87w//fTmbcPcD2y0/440uurpdX3Dt3E/uEZcc
ArTV7ZjwpnzS2qQE62+xOc5muC4cMWaBEfJgZLuRSDxr8w8teqiYlajOYBOZsot7
if5sUclJQBLC6akrsqfD1n8jaXaMhs+mR3dUu/halt8m02Z6TruTv90MwDMhkGk1
Actm+r6bOxVzmQ0rNrtYsUgu7yxmp3lamFAROvmYQ8cdFKwuE/yKNiR/od26pZEF
aIVN1y0TEgSWGOLlDke9GS0IoEW2tkGwgxmHV/pZhA0WJUsU0Rs9FWazKgoOh6Ec
tpk3H6ycIzEnY0pmTAIcsiOucoC+elO0gk956qsmpS/wunLLfYJcy7ely04iJzlR
pr44we1E4QxpYQAYtnUqcHRFqTmHri/pvKU6d1AYHOU+GJGnYsYbz88Np4x+C0/z
z0uTXsvL2PE00ihLCTpqkVydwVfa2OMsJhWsNYwpHBYbJCNKoIv0C4CYrUt7Khnz
1wDzUOuNA0wQSE1SrI0+FV5BXfxjY47EkO+L4yZ96wRiS56QJNcZr5hPSXgYH74J
rpScKZqPt8vHZXlwJYNR0qxEpmmACuIVrdysZmF7dtmdHCtrrDRDJAhJy8S1FLHq
IvxwzMCbxy8p3xGFDo1u+MBrxVAtnPd+0QFMH87zdeSdNCXiwFDmIOIAc2RuGYOR
zUCL9FGxFcQ=
=Xh2M
-----END PGP SIGNATURE-----