ID

VAR-201206-0140

CVE

CVE-2012-2948

TITLE

Certified Asterisk and Asterisk Open Source Service disruption in (DoS) Vulnerabilities

DESCRIPTION

chan_skinny.c in the Skinny (aka SCCP) channel driver in Certified Asterisk 1.8.11-cert before 1.8.11-cert2 and Asterisk Open Source 1.8.x before 1.8.12.1 and 10.x before 10.4.1 allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by closing a connection in off-hook mode. Asterisk is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to trigger a NULL-pointer dereference and cause a system crash, denying service to legitimate users. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201206-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Asterisk: Multiple vulnerabilities Date: June 21, 2012 Bugs: #413353, #418189, #418191 ID: 201206-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities in Asterisk might allow remote attackers to execute arbitrary code. Background ========== Asterisk is an open source telephony engine and toolkit. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/asterisk < 1.8.12.1 >= 1.8.12.1 Description =========== Multiple vulnerabilities have been found in Asterisk: * An error in manager.c allows shell access through the MixMonitor application, GetVar, or Status (CVE-2012-2414). * An error in chan_skinny.c could cause a heap-based buffer overflow (CVE-2012-2415). * An error in chan_sip.c prevents Asterisk from checking if a channel exists before connected line updates (CVE-2012-2416). * An error in chan_iax2.c may cause an invalid pointer to be called (CVE-2012-2947). * chan_skinny.c contains a NULL pointer dereference (CVE-2012-2948). Impact ====== A remote attacker could execute arbitrary code with the privileges of the process or cause a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All Asterisk users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.8.12.1" References ========== [ 1 ] CVE-2012-2414 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2414 [ 2 ] CVE-2012-2415 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2415 [ 3 ] CVE-2012-2416 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2416 [ 4 ] CVE-2012-2947 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2947 [ 5 ] CVE-2012-2948 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2948 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201206-05.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . When an SCCP client closes its connection to the server, a pointer in a structure is set to Null. If the client was not in the on-hook state at the time the connection was closed, this pointer is later dereferenced. "Off hook") to crash the server. Successful exploitation of this vulnerability would result in termination of the server, causing denial of service to legitimate users." Resolution The pointer to the device in the structure is now checked before it is dereferenced in the channel event callbacks and message handling functions. Affected Versions Product Release Series Asterisk Open Source 1.8.x All Versions Asterisk Open Source 10.x All Versions Certified Asterisk 1.8.11-cert 1.8.11-cert1 Corrected In Product Release Asterisk Open Source 1.8.12.1, 10.4.1 Certified Asterisk 1.8.11-cert2 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-008-1.8.diff v1.8 http://downloads.asterisk.org/pub/security/AST-2012-008-10.diff v10 http://downloads.asterisk.org/pub/security/AST-2012-008-1.8.11-cert.diff v1.8.11-cert Links https://issues.asterisk.org/jira/browse/ASTERISK-19905 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-008.pdf and http://downloads.digium.com/pub/security/AST-2012-008.html Revision History Date Editor Revisions Made 05/25/2012 Matt Jordan Initial Release Asterisk Project Security Advisory - AST-2012-008 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. _______________________________________________ Full-Disclosure - We believe in it. In addition, it was discovered that Asterisk does not set the alwaysauthreject option by default in the SIP channel driver. This allows remote attackers to observe a difference in response behavior and check for the presence of account names. (CVE-2011-2666) System administrators concerned by this user enumerating vulnerability should enable the alwaysauthreject option in the configuration. We do not plan to change the default setting in the stable version (Asterisk 1.6) in order to preserve backwards compatibility. For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 1:1.8.13.0~dfsg-1. We recommend that you upgrade your asterisk packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJP15u9AAoJEL97/wQC1SS+Pu0H/0ZPFRSNpL+hJKd7b5FGF6al BZSp51eAC0d2mEFWMml4DAvx6u1gMPzrO9PPNgsEc6gxNyD4Stj+rF54h6X5i5NR ZSlyeQTQ292J18+LdANYWwxQJyzNNthNmYL/2AiR6z2BRnD3ZqHiPbWGv0FV4Vyw rT8fZ7ujp7CQlFGwcqjPxUzBqEq5U2raN2K9BoP6zpu8mHf9WzcmL4KZR/wJxMkf 04McrMttF++gM3atFSSXCWC5Bpj8q0xpr3YIv0dI8+fWPFpevNX2MBM+diS06iNc PUWfCPTy2Psl46dC3J+JeF8TPWE/HCmV98DD54DEv0R1tPUmNm362dtfiutiBbQ= =Wy1e -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Asterisk Two Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA49303 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49303/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49303 RELEASE DATE: 2012-05-30 DISCUSS ADVISORY: http://secunia.com/advisories/49303/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49303/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49303 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in Asterisk, which can be exploited by malicious people to cause a DoS (Denial of Service). 1) An error in IAX2 channel driver within the "handle_request_update()" function (channels/chan_sip.c) when placing an established call on hold can be exploited to cause a crash via specially crafted packets. Successful exploitation of this vulnerability requires that the setting mohinterpret=passthrough is set and that the call is placed on hold without a suggested music-on-hold class name. 2) An error in SCCP (Skinny) channel driver (channels/chan_skinny.c) when handling termination of a client's connection can be exploited to cause a crash by closing a connection to the server in certain call states. The vulnerabilities are reported in versions 1.8.11-cert prior to 1.8.11-cert2, 1.8.x prior to 1.8.12.1, and 10.x prior to 10.4.1. SOLUTION: Update to a fixed version. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) mgrobecker 2) Christoph Hebeisen ORIGINAL ADVISORY: http://downloads.asterisk.org/pub/security/AST-2012-007.html http://downloads.asterisk.org/pub/security/AST-2012-008.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

resource management error

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Christoph Hebeisen

SOURCES

LAST UPDATE DATE

2024-11-23T21:02:58.171000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE