lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1bi6J7-0008Je-8F@mail.digium.com>
Date: Thu, 08 Sep 2016 15:52:25 -0500
From: "Asterisk Security Team" <security@...erisk.org>
To: fulldisclosure@...lists.org
Subject: [FD] AST-2016-006: Crash on ACK from unknown endpoint

               Asterisk Project Security Advisory - AST-2016-006

         Product        Asterisk                                              
         Summary        Crash on ACK from unknown endpoint                    
    Nature of Advisory  Remote Crash                                          
      Susceptibility    Remote unauthenticated sessions                       
         Severity       Critical                                              
      Exploits Known    No                                                    
       Reported On      August 3, 2016                                        
       Reported By      Nappsoft                                              
        Posted On       
     Last Updated On    August 31, 2016                                       
     Advisory Contact   mark DOT michelson AT digium DOT com                  
         CVE Name       

    Description  Asterisk can be crashed remotely by sending an ACK to it     
                 from an endpoint username that Asterisk does not recognize.  
                 Most SIP request types result in an "artificial" endpoint    
                 being looked up, but ACKs bypass this lookup. The resulting  
                 NULL pointer results in a crash when attempting to           
                 determine if ACLs should be applied.                         
                                                                              
                 This issue was introduced in the Asterisk 13.10 release and  
                 only affects that release.                                   
                                                                              
                 This issue only affects users using the PJSIP stack with     
                 Asterisk. Those users that use chan_sip are unaffected.      

    Resolution  ACKs now result in an artificial endpoint being looked up     
                just like other SIP request types.                            

                               Affected Versions         
                          Product                        Release  
                                                         Series   
                   Asterisk Open Source                   11.x    Unaffected  
                   Asterisk Open Source                   13.x    13.10.0     
                    Certified Asterisk                    11.6    Unaffected  
                    Certified Asterisk                    13.8    Unaffected  

                                  Corrected In         
                         Product                              Release         
                  Asterisk Open Source                        13.11.1         

                                    Patches
                 SVN URL                              Revision                

           Links         

    Asterisk Project Security Advisories are posted at                        
    http://www.asterisk.org/security                                          
                                                                              
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    http://downloads.digium.com/pub/security/AST-2016-006.pdf and             
    http://downloads.digium.com/pub/security/AST-2016-006.html                

                                Revision History
         Date            Editor                  Revisions Made               
    August 16, 2016  Mark Michelson  Initial draft of Advisory                

               Asterisk Project Security Advisory - AST-2016-006
              Copyright (c) 2016 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ