If an incoming SIP message contains a malformed multi-part body an out-of-bounds read access may occur, which can result in undefined behavior. Note, it is currently uncertain if there is any externally exploitable vector within Asterisk for this issue, but they are providing this as a security issue out of caution.
97b8999a7c776bc25667d248af8128d9089bb735a74f21b5e8602a90fb5d57dcWhen acting as a UAC, and when placing an outgoing call to a target that then forks, Asterisk may experience undefined behavior after a dialog set is prematurely freed.
caf0098653c4aa078aff32dd6a697ddb405273dec27531e5365356d26193b7feThe header length on incoming STUN messages that contain an ERROR-CODE attribute is not properly checked. This can result in an integer underflow. Note, this requires ICE or WebRTC support to be in use with a malicious remote party.
b4d958ee6e32f6f622c4ae3b0cd99a1c00dcde4578e8d8eca299633634cfec4cDepending on the timing, it is possible for Asterisk to crash when using a TLS connection if the underlying socket parent/listener gets destroyed during the handshake.
f908e37fa6bf92ff245d1f52190b304b3ef6738cc22397a7a0ad4665b63b3f39If the IAX2 channel driver receives a packet that contains an unsupported media format it can cause a crash to occur in Asterisk.
4b4013dde28ebd85bf26ab9c3fd8cf604c2de2c7aacef317b575436966ddf0a0When re-negotiating for T.38 if the initial remote response was delayed just enough Asterisk would send both audio and T.38 in the SDP. If this happened, and the remote responded with a declined T.38 stream then Asterisk would crash.
2a9795115e2a46d96ffa9cb29f66fab90c91d64bdafcfd927d79e02c48f5c8b5Asterisk Project Security Advisory - A crash can occur in Asterisk when a SIP 181 response is received that has a Diversion header, which contains a tel-uri.
a26dc337f57530d82d427354073f347e972800a041eeb38f8141eeefd479f86bAsterisk Project Security Advisory - A crash can occur in Asterisk when a SIP message is received that has a History-Info header, which contains a tel-uri. Note, the remote client must be authenticated, or Asterisk must be configured for anonymous calling in order for this problem to manifest.
48af91212546e76d006116dba7b12815d843a845495623b78255f9379d3b2484Asterisk Project Security Advisory - Upon receiving a new SIP Invite, Asterisk did not return the created dialog locked or referenced. This caused a gap between the creation of the dialog object, and its next use by the thread that created it. Depending upon some off nominal circumstances, and timing it was possible for another thread to free said dialog in this gap. Asterisk could then crash when the dialog object, or any of its dependent objects were de-referenced, or accessed next by the initial creation thread.
0ffdabc3873921af089a27d73efac1246b61b827d0d4706a0053ec41b4494fd6Asterisk Project Security Advisory - By crafting an SDP message body with an invalid fmtp attribute Asterisk crashes when using the pjsip channel driver because pjproject's fmtp retrieval function fails to check if fmtp value is empty (set empty if previously parsed as invalid). The severity of this vulnerability is lessened since an endpoint must be authenticated prior to reaching the crash point, or it's configured with no authentication.
9b8ed54f40c2eeeb8b0438fcc1f181112a56783842de914688edfeee94da5652Asterisk Project Security Advisory - By crafting an SDP message with an invalid media format description Asterisk crashes when using the pjsip channel driver because pjproject's sdp parsing algorithm fails to catch the invalid media format description. The severity of this vulnerability is lessened since an endpoint must be authenticated prior to reaching the crash point, or it's configured with no authentication.
891c0434dd5c6146ed9c01205891569b4cbbd6cb0ddddb9c96165c020a8fe6abAsterisk Project Security Advisory - A select set of SIP messages create a dialog in Asterisk. Those SIP messages must contain a contact header. For those messages, if the header was not present and using the PJSIP channel driver, it would cause Asterisk to crash. The severity of this vulnerability is somewhat mitigated if authentication is enabled. If authentication is enabled a user would have to first be authorized before reaching the crash point.
ed053308e894898a480e92d5016c992527cc685883fe08d5de10e9577ba6d611Asterisk Project Security Advisory - A memory leak occurs when an Asterisk pjsip session object is created and that call gets rejected before the session itself is fully established. When this happens the session object never gets destroyed.
ef9c2364c68055df7468805ee829f6e50bad41d1db4ebba8c6ed3c73a1f0c1acAsterisk Project Security Advisory - No size checking is done when setting the user field on a CDR. Thus, it is possible for someone to use an arbitrarily large string and write past the end of the user field storage buffer. This allows the possibility of remote code injection.
4f394dc143a808e8b1929549291dac026ba69e8dc9fd92c43b3dff47220e1290Asterisk Project Security Advisory - The DB dialplan function when executed from an external protocol (for instance AMI), could result in a privilege escalation.
5f6de459bd80960c973e40d53339c46b02b67d9db5559130f299530051f16340Asterisk Project Security Advisory - The CONFBRIDGE dialplan function when executed from an external protocol (for instance AMI), could result in a privilege escalation. Also, the AMI action "ConfbridgeStartRecord" could also be used to execute arbitrary system commands without first checking for system access.
eebc8eabd10dc9e3b8bc9523e239a9374c0d69bf823e68db757ae0b2b1368d33Asterisk Project Security Advisory - A remotely exploitable crash vulnerability exists in the PJSIP channel driver's pub/sub framework. If an attempt is made to unsubscribe when not currently subscribed and the endpoint's "sub_min_expiry" is set to zero, Asterisk tries to create an expiration timer with zero seconds, which is not allowed, so an assertion raised.
6b85765fc735a00c686484dac76731431461bf16a925d2e52ab0d28b8d4331fe
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed