ID
VAR-202212-0159
CVE
CVE-2022-42705
TITLE
Asterisk Resource Management Error Vulnerability
Trust: 0.6
DESCRIPTION
A use-after-free in res_pjsip_pubsub.c in Sangoma Asterisk 16.28, 18.14, 19.6, and certified/18.9-cert2 may allow a remote authenticated attacker to crash Asterisk (denial of service) by performing activity on a subscription via a reliable transport at the same time that Asterisk is also performing activity on that subscription. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5358-1 security@debian.org https://www.debian.org/security/ Markus Koschany February 23, 2023 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : asterisk CVE ID : CVE-2022-23537 CVE-2022-23547 CVE-2022-31031 CVE-2022-37325 CVE-2022-39244 CVE-2022-39269 CVE-2022-42705 CVE-2022-42706 Multiple security vulnerabilities have been discovered in Asterisk, an Open Source Private Branch Exchange. Buffer overflows and other programming errors could be exploited for launching a denial of service attack or the execution of arbitrary code. For the stable distribution (bullseye), these problems have been fixed in version 1:16.28.0~dfsg-0+deb11u2. We recommend that you upgrade your asterisk packages. For the detailed security status of asterisk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/asterisk Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmP3LTtfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeQLpw/8CshgHqfiBn5zx4yxf0mmnHaeXDpDmebNz0MLPJQOBHLn6IBFyAu+TpM5 o9CgBlgTx6LdXToik+0QQtG50EnCp+2gPQ+dalY7lHswTfdwqIrMIM8NUwtOo9ut DUUptPBTbUVDICh/OZfiNE3EfxAJ5Z6ktoqC/L8IqCx/S1ZwbdQJSVXAAQJJUVyT syXDNHpoYqehm6p0JKOAbYkROnCKyvfhrtu9clZgUx0lhlxGRpAMspO15mUTyxqR xLwsWAqWyfPXTZBpa6Ym8Aa8vQeDrvk3QakigvhnYHxhz51eJiH8WcsIzh2NQLW0 CsJHYx+Hq3rVUHpIWvPyR00HeKfGNu4pYzXS8RAhuKricEgxNWEQKWxYO76+xrWt avZ1ebREYG2+6AcneB3ceSCPNEg3YeySmf5RyFYy+3s307OsA8/kbSwzsi4lmBZe 1+bqDZvcb76dEz2d5bFaC9qJ3EUX3C19B4mo/bi+IW4s8YypZZX3OpmH5jCkIFKF XiEmuDj3rtrDYSzQgSCKgflXQIv63UsUn3NbZk2KIkQTZRpBfT8p5M7DWwozOCbO 9CN6gsjkM/H+YT2FfEdXMsqw7H6tl3wv1HUIj9dDaAYfxfnHGMfe3jeSBA84Ql1J +NrQctHyDGHo5WcU4ThMNawTuz+FUn/MHb4+ycyP8TjZa/RHX4M=HsMO -----END PGP SIGNATURE-----
Trust: 0.99
AFFECTED PRODUCTS
| vendor: | sangoma | model: | asterisk | scope: | gte | version: | 18.14.0 | Trust: 1.0 |
| vendor: | sangoma | model: | certified asterisk | scope: | eq | version: | 18.9 | Trust: 1.0 |
| vendor: | sangoma | model: | asterisk | scope: | gte | version: | 19.6.0 | Trust: 1.0 |
| vendor: | sangoma | model: | asterisk | scope: | eq | version: | 20.0.0 | Trust: 1.0 |
| vendor: | sangoma | model: | asterisk | scope: | lt | version: | 18.15.1 | Trust: 1.0 |
| vendor: | sangoma | model: | asterisk | scope: | lt | version: | 16.29.1 | Trust: 1.0 |
| vendor: | sangoma | model: | asterisk | scope: | gte | version: | 16.0.0 | Trust: 1.0 |
| vendor: | sangoma | model: | asterisk | scope: | lt | version: | 19.7.1 | Trust: 1.0 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | |||||||||||||||||||||||||||||||||||||||||
|
|
PROBLEMTYPE DATA
| problemtype: | CWE-416 | Trust: 1.0 |
THREAT TYPE
remote
Trust: 0.6
TYPE
resource management error
Trust: 0.6
PATCH
| title: | Asterisk Remediation of resource management error vulnerabilities | url: | http://123.124.177.30/web/xxk/bdxqById.tag?id=216717 | Trust: 0.6 |
EXTERNAL IDS
| db: | NVD | id: | CVE-2022-42705 | Trust: 1.7 |
| db: | AUSCERT | id: | ESB-2023.1153 | Trust: 0.6 |
| db: | AUSCERT | id: | ESB-2022.6288 | Trust: 0.6 |
| db: | CNNVD | id: | CNNVD-202212-2174 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 171105 | Trust: 0.1 |
REFERENCES
| url: | https://www.debian.org/security/2023/dsa-5358 | Trust: 1.6 |
| url: | https://downloads.asterisk.org/pub/security/ast-2022-008.html | Trust: 1.6 |
| url: | https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html | Trust: 1.6 |
| url: | https://www.auscert.org.au/bulletins/esb-2022.6288 | Trust: 0.6 |
| url: | https://vigilance.fr/vulnerability/asterisk-open-source-reuse-after-free-via-res-pjsip-pubsub-c-40001 | Trust: 0.6 |
| url: | https://www.auscert.org.au/bulletins/esb-2023.1153 | Trust: 0.6 |
| url: | https://cxsecurity.com/cveshow/cve-2022-42705/ | Trust: 0.6 |
| url: | https://www.debian.org/security/ | Trust: 0.1 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2022-23547 | Trust: 0.1 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2022-31031 | Trust: 0.1 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2022-37325 | Trust: 0.1 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2022-39244 | Trust: 0.1 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2022-39269 | Trust: 0.1 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2022-42705 | Trust: 0.1 |
| url: | https://www.debian.org/security/faq | Trust: 0.1 |
| url: | https://security-tracker.debian.org/tracker/asterisk | Trust: 0.1 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2022-42706 | Trust: 0.1 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2022-23537 | Trust: 0.1 |
CREDITS
Debian
Trust: 0.1
SOURCES
| db: | PACKETSTORM | id: | 171105 |
| db: | CNNVD | id: | CNNVD-202212-2174 |
| db: | NVD | id: | CVE-2022-42705 |
LAST UPDATE DATE
2024-08-14T12:11:36.808000+00:00
SOURCES UPDATE DATE
| db: | CNNVD | id: | CNNVD-202212-2174 | date: | 2023-02-27T00:00:00 |
| db: | NVD | id: | CVE-2022-42705 | date: | 2023-02-24T00:15:12.057 |
SOURCES RELEASE DATE
| db: | PACKETSTORM | id: | 171105 | date: | 2023-02-23T16:33:14 |
| db: | CNNVD | id: | CNNVD-202212-2174 | date: | 2022-12-02T00:00:00 |
| db: | NVD | id: | CVE-2022-42705 | date: | 2022-12-05T21:15:10.177 |