===================================================================== CERT-Renater Note d'Information No. 2011/VULN353 _____________________________________________________________________ DATE : 22/04/2011 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Asterisk Open Source version 1.4.x, 1.6.1.x, 1.6.2.x, 1.8.x, Asterisk Business Edition C.x.x. ====================================================================== http://downloads.asterisk.org/pub/security/AST-2011-005.html http://downloads.asterisk.org/pub/security/AST-2011-006.html ______________________________________________________________________ Asterisk Project Security Advisory - AST-2011-005 Product Asterisk Summary File Descriptor Resource Exhaustion Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated TCP Based Sessions (TCP SIP, Skinny, Asterisk Manager Interface, and HTTP sessions) Severity Moderate Exploits Known Yes Reported On March 18, 2011 Reported By Tzafrir Cohen < tzafrir.cohen AT xorcom DOT com > Posted On April 21, 2011 Last Updated On April 21, 2011 Advisory Contact Matthew Nicholson CVE Name CVE-2011-1507 Description On systems that have the Asterisk Manager Interface, Skinny, SIP over TCP, or the built in HTTP server enabled, it is possible for an attacker to open as many connections to asterisk as he wishes. This will cause Asterisk to run out of available file descriptors and stop processing any new calls. Additionally, disk space can be exhausted as Asterisk logs failures to open new file descriptors. Resolution Asterisk can now limit the number of unauthenticated connections to each vulnerable interface and can also limit the time unauthenticated clients will remain connected for some interfaces. This will prevent vulnerable interfaces from using up all available file descriptors. Care should be taken when setting the connection limits so that the combined total of allowed unauthenticated sessions from each service is not more than the file descriptor limit for the Asterisk process. The file descriptor limit can be checked (and set) using the "ulimit -n" command for the process' limit and the "/proc/sys/fs/file-max" file (on Linux) for the system's limit. It will still be possible for an attacker to deny service to each of the vulnerable services individually. To mitigate this risk, vulnerable services should be run behind a firewall that can detect and prevent DoS attacks. In addition to using a firewall to filter traffic, vulnerable systems can be protected by disabling the vulnerable services in their respective configuration files. Affected Versions Product Release Series Asterisk Open Source 1.4.x All versions Asterisk Open Source 1.6.1.x All versions Asterisk Open Source 1.6.2.x All versions Asterisk Open Source 1.8.x All versions Asterisk Business Edition C.x.x All versions Corrected In Product Release Asterisk Open Source 1.4.40.1, 1.6.1.25, 1.6.2.17.3, 1.8.3.3 Asterisk Business Edition C.3.6.4 Patches URL Branch http://downloads.asterisk.org/pub/security/AST-2011-005-1.4.diff 1.4 http://downloads.asterisk.org/pub/security/AST-2011-005-1.6.1.diff 1.6.1 http://downloads.asterisk.org/pub/security/AST-2011-005-1.6.2.diff 1.6.2 http://downloads.asterisk.org/pub/security/AST-2011-005-1.8.diff 1.8 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2011-005.pdf and http://downloads.digium.com/pub/security/AST-2011-005.html Revision History Date Editor Revisions Made 04/21/11 Matthew Nicholson Initial version Asterisk Project Security Advisory - AST-2011-005 Copyright (c) 2011 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. ______________________________________________________________________ Asterisk Project Security Advisory - AST-2011-006 Product Asterisk Summary Asterisk Manager User Shell Access Nature of Advisory Permission Escalation Susceptibility Remote Authenticated Sessions Severity Minor Exploits Known Yes Reported On February 10, 2011 Reported By Mark Murawski Posted On April 21, 2011 Last Updated On April 21, 2011 Advisory Contact Matthew Nicholson CVE Name Description It is possible for a user of the Asterisk Manager Interface to bypass a security check and execute shell commands when they should not have that ability. Sending the "Async" header with the "Application" header during an Originate action, allows authenticated manager users to execute shell commands. Only users with the "system" privilege should be able to do this. Resolution Asterisk now performs the proper access check where appropriate during the originate manager action. Affected Versions Product Release Series Asterisk Open Source 1.4.x All versions Asterisk Open Source 1.6.1.x All versions Asterisk Open Source 1.6.2.x All versions Asterisk Open Source 1.8.x All versions Asterisk Business Edition C.x.x All versions Corrected In Product Release Asterisk Open Source 1.4.40.1, 1.6.1.25, 1.6.2.17.3, 1.8.3.3 Asterisk Business Edition C.3.6.4 Patches URL Branch http://downloads.asterisk.org/pub/security/AST-2011-006-1.4.diff 1.4 http://downloads.asterisk.org/pub/security/AST-2011-006-1.6.1.diff 1.6.1 http://downloads.asterisk.org/pub/security/AST-2011-006-1.6.2.diff 1.6.2 http://downloads.asterisk.org/pub/security/AST-2011-006-1.8.diff 1.8 Links Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2011-006.pdf and http://downloads.digium.com/pub/security/AST-2011-006.html Revision History Date Editor Revisions Made 4/21/11 Matthew Nicholson Initial version Asterisk Project Security Advisory - AST-2011-006 Copyright (c) 2011 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================