==================================================================== CERT-Renater Note d'Information No. 2018/VULN075 _____________________________________________________________________ DATE : 23/02/2018 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Asterisk Asterisk Open Source versions prior to 13.19.2, 14.7.6, 15.2.2, Certified Asterisk versions prior to 13.18-cert3. ===================================================================== http://downloads.asterisk.org/pub/security/AST-2018-001.html http://downloads.asterisk.org/pub/security/AST-2018-002.html http://downloads.asterisk.org/pub/security/AST-2018-003.html http://downloads.asterisk.org/pub/security/AST-2018-004.html http://downloads.asterisk.org/pub/security/AST-2018-005.html http://downloads.asterisk.org/pub/security/AST-2018-006.html _____________________________________________________________________ Asterisk Project Security Advisory - AST-2018-001 Product Asterisk Summary Crash when receiving unnegotiated dynamic payload Nature of Advisory Remote Crash Susceptibility Remote Unauthenticated Sessions Severity Major Exploits Known No Reported On December 18, 2017 Reported By Sébastien Duthil Posted On February 21, 2018 Last Updated On February 21, 2018 Advisory Contact Joshua Colp CVE Name CVE-2018-7285 Description The RTP support in Asterisk maintains its own registry of dynamic codecs and desired payload numbers. While an SDP negotiation may result in a codec using a different payload number these desired ones are still stored internally. When an RTP packet was received this registry would be consulted if the payload number was not found in the negotiated SDP. This registry was incorrectly consulted for all packets, even those which are dynamic. If the payload number resulted in a codec of a different type than the RTP stream (for example the payload number resulted in a video codec but the stream carried audio) a crash could occur if no stream of that type had been negotiated. This was due to the code incorrectly assuming that a stream of the type would always exist. Resolution The RTP support will now only consult the registry for payloads which are statically defined. The core has also been changed to protect against situations where a frame of media is received for a media type that has not been negotiated. To receive these fixes update to the given version of Asterisk or apply the provided patch. There is no configuration which can protect against this vulnerability. Affected Versions Product Release Series Asterisk Open Source 13.x Unaffected Asterisk Open Source 14.x Unaffected Asterisk Open Source 15.x All versions Certified Asterisk 13.18 Unaffected Corrected In Product Release Asterisk Open Source 15.2.2 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2018-001-15.diff Asterisk 15 Links https://issues.asterisk.org/jira/browse/ASTERISK-27488 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2018-001.pdf and http://downloads.digium.com/pub/security/AST-2018-001.html Revision History Date Editor Revisions Made January 15, 2018 Joshua Colp Initial Revision February 21, 2018 Joshua Colp Added CVE Asterisk Project Security Advisory - AST-2018-001 Copyright © 2018 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. _____________________________________________________________________ Asterisk Project Security Advisory - AST-2018-002 Product Asterisk Summary Crash when given an invalid SDP media format description Nature of Advisory Remote crash Susceptibility Remote Authenticated Sessions Severity Minor Exploits Known No Reported On January 15, 2018 Reported By Sandro Gauci Posted On February 21, 2018 Last Updated On February 19, 2018 Advisory Contact Kevin Harwell CVE Name Description By crafting an SDP message with an invalid media format description Asterisk crashes when using the pjsip channel driver because pjproject's sdp parsing algorithm fails to catch the invalid media format description. The severity of this vulnerability is lessened since an endpoint must be authenticated prior to reaching the crash point, or it's configured with no authentication. Resolution Stricter validation is now done when pjproject parses an SDP's media format description. Invalid values are now properly handled. Affected Versions Product Release Series Asterisk Open Source 13.x All Releases Asterisk Open Source 14.x All Releases Asterisk Open Source 15.x All Releases Certified Asterisk 13.18 All Releases Corrected In Product Release Asterisk Open Source 13.19.2, 14.7.6, 15.2.2 Certified Asterisk 13.18-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2018-002-13.diff Asterisk 13 http://downloads.asterisk.org/pub/security/AST-2018-002-14.diff Asterisk 14 http://downloads.asterisk.org/pub/security/AST-2018-002-15.diff Asterisk 15 http://downloads.asterisk.org/pub/security/AST-2018-002-13.18.diff Certified Asterisk 13.18 Links https://issues.asterisk.org/jira/browse/ASTERISK-27582 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2018-002.pdf and http://downloads.digium.com/pub/security/AST-2018-002.html Revision History Date Editor Revisions Made January 30, 2018 Kevin Harwell Initial Revision Asterisk Project Security Advisory - AST-2018-002 Copyright © 2018 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. _____________________________________________________________________ Asterisk Project Security Advisory - AST-2018-003 Product Asterisk Summary Crash with an invalid SDP fmtp attribute Nature of Advisory Remote crash Susceptibility Remote Authenticated Sessions Severity Minor Exploits Known No Reported On January 15, 2018 Reported By Sandro Gauci Posted On February 21, 2018 Last Updated On February 19, 2018 Advisory Contact Kevin Harwell CVE Name Description By crafting an SDP message body with an invalid fmtp attribute Asterisk crashes when using the pjsip channel driver because pjproject's fmtp retrieval function fails to check if fmtp value is empty (set empty if previously parsed as invalid). The severity of this vulnerability is lessened since an endpoint must be authenticated prior to reaching the crash point, or it's configured with no authentication. Resolution A stricter check is now done when pjproject retrieves the fmtp attribute. Empty values are now properly handled. Affected Versions Product Release Series Asterisk Open Source 13.x All Releases Asterisk Open Source 4.x All Releases Asterisk Open Source 15.x All Releases Certified Asterisk 13.18 All Releases Corrected In Product Release Asterisk Open Source 13.19.2, 14.7.6, 15.2.2 Certified Asterisk 13.18-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2018-003-13.diff Asterisk 13 http://downloads.asterisk.org/pub/security/AST-2018-003-14.diff Asterisk 14 http://downloads.asterisk.org/pub/security/AST-2018-003-15.diff Asterisk 15 http://downloads.asterisk.org/pub/security/AST-2018-003-13.18.diff Certified Asterisk 13.18 Links https://issues.asterisk.org/jira/browse/ASTERISK-27583 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2018-003.pdf and http://downloads.digium.com/pub/security/AST-2018-003.html Revision History Date Editor Revisions Made January 30, 2018 Kevin Harwell Initial Revision Asterisk Project Security Advisory - AST-2018-003 Copyright © 2018 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. _____________________________________________________________________ Asterisk Project Security Advisory - AST-2018-004 Product Asterisk Summary Crash when receiving SUBSCRIBE request Nature of Advisory Remote Crash Susceptibility Remote Unauthenticated Sessions Severity Major Exploits Known No Reported On January 30, 2018 Reported By Sandro Gauci Posted On February 21, 2018 Last Updated On February 21, 2018 Advisory Contact Joshua Colp CVE Name CVE-2018-7284 Description When processing a SUBSCRIBE request the res_pjsip_pubsub module stores the accepted formats present in the Accept headers of the request. This code did not limit the number of headers it processed despite having a fixed limit of 32. If more than 32 Accept headers were present the code would write outside of its memory and cause a crash. Resolution The res_pjsip_pubsub module has been changed to enforce a limit on the maximum number of Accept headers it will process. To receive this change upgrade to the version of Asterisk where this is resolved or apply the appropriate provided patch. Affected Versions Product Release Series Asterisk Open Source 13.x All versions Asterisk Open Source 14.x All versions Asterisk Open Source 15.x All versions Certified Asterisk 13.18 All versions Corrected In Product Release Asterisk Open Source 13.19.2, 14.7.6, 15.2.2 Certified Asterisk 13.18-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2018-004-13.diff Asterisk 13 http://downloads.asterisk.org/pub/security/AST-2018-004-14.diff Asterisk 14 http://downloads.asterisk.org/pub/security/AST-2018-004-15.diff Asterisk 15 http://downloads.asterisk.org/pub/security/AST-2018-004-13.18.diff Certified Asterisk 13.18 Links https://issues.asterisk.org/jira/browse/ASTERISK-27640 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2018-004.pdf and http://downloads.digium.com/pub/security/AST-2018-004.html Revision History Date Editor Revisions Made February 5, 2018 Joshua Colp Initial Revision February 21, 2018 Joshua Colp Added CVE Asterisk Project Security Advisory - AST-2018-004 Copyright © 2018 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. _____________________________________________________________________ Asterisk Project Security Advisory - AST-2018-005 Product Asterisk Summary Crash when large numbers of TCP connections are closed suddenly Nature of Advisory Remote Crash Susceptibility Remote Authenticated Sessions Severity Moderate Exploits Known No Reported On January 24, 2018 Reported By Sandro Gauci Posted On February 21, 2018 Last Updated On February 21, 2018 Advisory Contact gjoseph AT digium DOT com CVE Name CVE-2018-7286 Description A crash occurs when a number of authenticated INVITE messages are sent over TCP or TLS and then the connection is suddenly closed. This issue leads to a segmentation fault. Resolution A patch to asterisk is available that prevents the crash by locking the underlying transport until a response is sent. Affected Versions Product Release Series Asterisk Open Source 13.x All Versions Asterisk Open Source 14.x All Versions Asterisk Open Source 15.x All Versions Certified Asterisk 13.18 All Versions Corrected In Product Release Asterisk Open Source 13.19.2, 14.7.6, 15.2.2 Certified Asterisk 13.18-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2018-005-13.diff Asterisk 13 http://downloads.asterisk.org/pub/security/AST-2018-005-14.diff Asterisk 14 http://downloads.asterisk.org/pub/security/AST-2018-005-15.diff Asterisk 15 http://downloads.asterisk.org/pub/security/AST-2018-005-13.18.diff Certified Asterisk 13.18 Links https://issues.asterisk.org/jira/browse/ASTERISK-27618 http://downloads.asterisk.org/pub/security/AST-2018-005.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2018-005.pdf and http://downloads.digium.com/pub/security/AST-2018-005.html Revision History Date Editor Revisions Made February 6, 2018 George Joseph Initial Revision Asterisk Project Security Advisory - AST-2018-005 Copyright © 2018 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. _____________________________________________________________________ Asterisk Project Security Advisory - AST-2018-006 Product Asterisk Summary WebSocket frames with 0 sized payload causes DoS Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated Sessions Severity Moderate Exploits Known No Reported On February 05, 2018 Reported By Sean Bright Posted On February 21, 2018 Last Updated On February 21, 2018 Advisory Contact bford AT digium DOT com CVE Name CVE-2018-7287 Description When reading a websocket, the length was not being checked. If a payload of length 0 was read, it would result in a busy loop that waited for the underlying connection to close. Resolution A patch to asterisk is available that checks for payloads of size 0 before attempting to read them. By default, Asterisk does not enable the HTTP server, which means it is not vulnerable to this problem. If the HTTP server is enabled, you can disable it if you do not need it. Otherwise, the patch provided with this security vulnerability can be applied. Either of these approaches will resolve the problem. Affected Versions Product Release Series Asterisk Open Source 15.x All versions Corrected In Product Release Asterisk Open Source 15.2.2 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2018-006-15.diff Asterisk 15 Links https://issues.asterisk.org/jira/browse/ASTERISK-27658 http://downloads.asterisk.org/pub/security/AST-2018-006.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2018-006.pdf and http://downloads.digium.com/pub/security/AST-2018-006.html Revision History Date Editor Revisions Made February 15, 2018 Ben Ford Initial Revision February 21, 2018 Ben Ford Added CVE Name Asterisk Project Security Advisory - AST-2018-006 Copyright © 2018 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================