===================================================================== CERT-Renater Note d'Information No. 2012/VULN002 _____________________________________________________________________ DATE : 08/01/2013 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Systems running Asterisk Open Source versions prior to 1.8.19.1, 10.11.1, 11.1.1, Certified Asterisk versions prior to 1.8.11-cert10, Asterisk Digiumphones versions prior to 10.11.1-digiumphones. ====================================================================== http://downloads.digium.com/pub/security/AST-2012-014.html http://downloads.digium.com/pub/security/AST-2012-015.html ______________________________________________________________________ Asterisk Project Security Advisory - AST-2012-014 Product Asterisk Summary Crashes due to large stack allocations when using TCP Nature of Advisory Stack Overflow Susceptibility Remote Unauthenticated Sessions (SIP) Remote Authenticated Sessions (XMPP, HTTP) Severity Critical Exploits Known No Reported On 7 November, 2012 Reported By Walter Doekes Posted On 2 January, 2013 Last Updated On January 2, 2013 Advisory Contact Mark Michelson CVE Name CVE-2012-5976 Description Asterisk has several places where messages received over various network transports may be copied in a single stack allocation. In the case of TCP, since multiple packets in a stream may be concatenated together, this can lead to large allocations that overflow the stack. In the case of SIP, it is possible to do this before a session is established. Keep in mind that SIP over UDP is not affected by this vulnerability. With HTTP and XMPP, a session must first be established before the vulnerability may be exploited. The XMPP vulnerability exists both in the res_jabber.so module in Asterisk 1.8, 10, and 11 as well as the res_xmpp.so module in Asterisk 11. Resolution Stack allocations when using TCP have either been eliminated in favor of heap allocations or have had an upper bound placed on them to ensure that the stack will not overflow. For SIP, the allocation now has an upper limit. For HTTP, the allocation is now a heap allocation instead of a stack allocation. For XMPP, the allocation has been eliminated since it was unnecessary. Affected Versions Product Release Series Asterisk Open Source 1.8.x All versions Asterisk Open Source 10.x All versions Asterisk Open Source 11.x All versions Certified Asterisk 1.8.11 SIP: unaffected HTTP and XMPP: All versions Asterisk Digiumphones 10.x-digiumphones All versions Corrected In Product Release Asterisk Open Source 1.8.19.1, 10.11.1, 11.1.1 Certified Asterisk 1.8.11-cert10 Asterisk Digiumphones 10.11.1-digiumphones Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-014-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2012-014-10.diff Asterisk 10 http://downloads.asterisk.org/pub/security/AST-2012-014-11.diff Asterisk 11 Links https://issues.asterisk.org/jira/browse/ASTERISK-20658 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-014.pdf and http://downloads.digium.com/pub/security/AST-2012-014.html Revision History Date Editor Revisions Made 19 November, 2012 Mark Michelson Initial Draft 02 January, 2013 Matt Jordan Removed ABE from affected products Asterisk Project Security Advisory - AST-2012-014 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. _____________________________________________________________________________ ------------------------------------------------------------------------------ Asterisk Project Security Advisory - AST-2012-015 Product Asterisk Summary Denial of Service Through Exploitation of Device State Caching Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated Sessions Severity Critical Exploits Known None Reported On 26 July, 2012 Reported By Russell Bryant Posted On 2 January, 2013 Last Updated On January 2, 2013 Advisory Contact Matt Jordan CVE Name CVE-2012-5977 Description Asterisk maintains an internal cache for devices. The device state cache holds the state of each device known to Asterisk, such that consumers of device state information can query for the last known state for a particular device, even if it is not part of an active call. The concept of a device in Asterisk can include things that do not have a physical representation. One way that this currently occurs is when anonymous calls are allowed in Asterisk. A device is automatically created and stored in the cache for each anonymous call that occurs; this is possible in the SIP and IAX2 channel drivers and through channel drivers that utilize the res_jabber/res_xmpp resource modules (Gtalk, Jingle, and Motif). Attackers exploiting this vulnerability can attack an Asterisk system configured to allow anonymous calls by varying the source of the anonymous call, continually adding devices to the device state cache and consuming a system's resources. Resolution Channels that are not associated with a physical device are no longer stored in the device state cache. This affects Local, DAHDI, SIP and IAX2 channels, and any channel drivers built on the res_jabber/res_xmpp resource modules (Gtalk, Jingle, and Motif). Affected Versions Product Release Series Asterisk Open Source 1.8.x All Versions Asterisk Open Source 10.x All Versions Asterisk Open Source 11.x All Versions Certified Asterisk 1.8.11 All Versions Asterisk Digiumphones 10.x-digiumphones All Versions Corrected In Product Release Asterisk Open Source 1.8.19.1, 10.11.1, 11.1.1 Certified Asterisk 1.8.11-cert10 Asterisk Digiumphones 10.11.1-digiumphones Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-015-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2012-015-10.diff Asterisk 10 http://downloads.asterisk.org/pub/security/AST-2012-015-11.diff Asterisk 11 Links https://issues.asterisk.org/jira/browse/ASTERISK-20175 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-015.pdf and http://downloads.digium.com/pub/security/AST-2012-015.html Revision History Date Editor Revisions Made 19 November 2012 Matt Jordan Initial Draft Asterisk Project Security Advisory - AST-2012-015 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================