VuXML ID | Description |
03159886-a8a3-11e3-8f36-0025905a4771 | asterisk -- multiple vulnerabilities
The Asterisk project reports:
Stack Overflow in HTTP Processing of Cookie Headers. Sending a HTTP
request that is handled by Asterisk with a large number of Cookie
headers could overflow the stack. You could even exhaust memory if you
sent an unlimited number of headers in the request.
Denial of Service Through File Descriptor Exhaustion with chan_sip
Session-Timers. An attacker can use all available file descriptors
using SIP INVITE requests. Asterisk will respond with code 400, 420,
or 422 for INVITEs meeting this criteria.
Each INVITE meeting these conditions will leak a channel and several
file descriptors. The file descriptors cannot be released without
restarting Asterisk which may allow intrusion detection systems to be
bypassed by sending the requests slowly.
Remote Crash Vulnerability in PJSIP channel driver. A remotely
exploitable crash vulnerability exists in the PJSIP channel driver if
the "qualify_frequency" configuration option is enabled on an AOR and
the remote SIP server challenges for authentication of the resulting
OPTIONS request. The response handling code wrongly assumes that a
PJSIP endpoint will always be associated with an outgoing request which
is incorrect.
Discovery 2014-03-10 Entry 2014-03-10 asterisk11
< 11.8.1
asterisk18
< 1.8.26.1
CVE-2014-2286
CVE-2014-2287
CVE-2014-2288
http://downloads.asterisk.org/pub/security/AST-2014-001.pdf
http://downloads.asterisk.org/pub/security/AST-2014-002.pdf
http://downloads.asterisk.org/pub/security/AST-2014-003.pdf
https://www.asterisk.org/security
|
c599f95c-8ee5-11e7-8be8-001999f8d30b | asterisk -- Unauthorized data disclosure and shell access command injection in app_minivm
The Asterisk project reports:
AST-2017-005 - A change was made to the strict RTP
support in the RTP stack to better tolerate late media
when a reinvite occurs. When combined with the symmetric
RTP support this introduced an avenue where media could
be hijacked. Instead of only learning a new address when
expected the new code allowed a new source address to be
learned at all times.
AST-2017-006 - The app_minivm module has an "externnotify"
program configuration option that is executed by the
MinivmNotify dialplan application. The application uses
the caller-id name and number as part of a built string
passed to the OS shell for interpretation and execution.
Since the caller-id name and number can come from an
untrusted source, a crafted caller-id name or number
allows an arbitrary shell command injection.
Discovery 2017-08-31 Entry 2017-09-01 asterisk11
< 11.25.2
asterisk13
< 13.17.1
https://downloads.asterisk.org/pub/security/AST-2017-005.html
CVE-2017-14099
https://downloads.asterisk.org/pub/security/AST-2017-006.html
CVE-2017-14100
|
c0b13887-be44-11e6-b04f-001999f8d30b | asterisk -- Authentication Bypass
The Asterisk project reports:
The chan_sip channel driver has a liberal definition
for whitespace when attempting to strip the content between
a SIP header name and a colon character. Rather than
following RFC 3261 and stripping only spaces and horizontal
tabs, Asterisk treats any non-printable ASCII character
as if it were whitespace.
This mostly does not pose a problem until Asterisk is
placed in tandem with an authenticating SIP proxy. In
such a case, a crafty combination of valid and invalid
To headers can cause a proxy to allow an INVITE request
into Asterisk without authentication since it believes
the request is an in-dialog request. However, because of
the bug described above, the request will look like an
out-of-dialog request to Asterisk. Asterisk will then
process the request as a new call. The result is that
Asterisk can process calls from unvetted sources without
any authentication.
If you do not use a proxy for authentication, then
this issue does not affect you.
If your proxy is dialog-aware (meaning that the proxy
keeps track of what dialogs are currently valid), then
this issue does not affect you.
If you use chan_pjsip instead of chan_sip, then this
issue does not affect you.
Discovery 2016-11-28 Entry 2016-12-09 asterisk11
< 11.25.1
asterisk13
< 13.13.1
http://downloads.digium.com/pub/security/ASTERISK-2016-009.html
|
5fee3f02-de37-11e4-b7c3-001999f8d30b | asterisk -- TLS Certificate Common name NULL byte exploit
The Asterisk project reports:
When Asterisk registers to a SIP TLS device and and
verifies the server, Asterisk will accept signed certificates
that match a common name other than the one Asterisk is
expecting if the signed certificate has a common name
containing a null byte after the portion of the common
name that Asterisk expected. For example, if Asterisk is
trying to register to www.domain.com, Asterisk will accept
certificates of the form
www.domain.com\x00www.someotherdomain.com
Discovery 2015-04-04 Entry 2015-04-08 asterisk
< 1.8.32.3
asterisk11
< 11.17.1
asterisk13
< 13.3.2
http://downloads.asterisk.org/pub/security/AST-2015-003.html
CVE-2015-3008
|
7656fc62-a7a7-11e4-96ba-001999f8d30b | asterisk -- Mitigation for libcURL HTTP request injection vulnerability
The Asterisk project reports:
CVE-2014-8150 reported an HTTP request injection
vulnerability in libcURL. Asterisk uses libcURL in its
func_curl.so module (the CURL() dialplan function), as
well as its res_config_curl.so (cURL realtime backend)
modules.
Since Asterisk may be configured to allow for user-supplied
URLs to be passed to libcURL, it is possible that an
attacker could use Asterisk as an attack vector to inject
unauthorized HTTP requests if the version of libcURL
installed on the Asterisk server is affected by
CVE-2014-8150.
Discovery 2015-01-12 Entry 2015-01-29 asterisk
< 1.8.32.2
asterisk11
< 11.15.1
asterisk13
< 13.1.1
http://downloads.asterisk.org/pub/security/AST-2015-002.html
|
7bfd797c-716d-11e4-b008-001999f8d30b | asterisk -- Multiple vulnerabilities
The Asterisk project reports:
AST-2014-014 - High call load may result in hung
channels in ConfBridge.
AST-2014-017 - Permission escalation through ConfBridge
actions/dialplan functions.
Discovery 2014-11-21 Entry 2014-11-21 asterisk11
< 11.14.1
http://downloads.asterisk.org/pub/security/AST-2014-014.html
CVE-2014-8414
http://downloads.asterisk.org/pub/security/AST-2014-017.html
CVE-2014-8417
|
f109b02f-f5a4-11e3-82e9-00a098b18457 | asterisk -- multiple vulnerabilities
The Asterisk project reports:
Asterisk Manager User Unauthorized Shell Access. Manager users can
execute arbitrary shell commands with the MixMonitor manager action.
Asterisk does not require system class authorization for a manager
user to use the MixMonitor action, so any manager user who is
permitted to use manager commands can potentially execute shell
commands as the user executing the Asterisk process.
Exhaustion of Allowed Concurrent HTTP Connections. Establishing a
TCP or TLS connection to the configured HTTP or HTTPS port
respectively in http.conf and then not sending or completing a HTTP
request will tie up a HTTP session. By doing this repeatedly until the
maximum number of open HTTP sessions is reached, legitimate requests
are blocked.
Discovery 2014-06-12 Entry 2014-06-17 asterisk11
< 11.10.1
asterisk18
< 1.8.28.1
CVE-2014-4046
CVE-2014-4047
http://downloads.asterisk.org/pub/security/AST-2014-006.pdf
http://downloads.asterisk.org/pub/security/AST-2014-007.pdf
https://www.asterisk.org/security
|
94268da0-8118-11e4-a180-001999f8d30b | asterisk -- Remote Crash Vulnerability in WebSocket Server
The Asterisk project reports:
When handling a WebSocket frame the res_http_websocket
module dynamically changes the size of the memory used
to allow the provided payload to fit. If a payload length
of zero was received the code would incorrectly attempt
to resize to zero. This operation would succeed and end
up freeing the memory but be treated as a failure. When
the session was subsequently torn down this memory would
get freed yet again causing a crash.
Users of the WebSocket functionality also did not take
into account that provided text frames are not guaranteed
to be NULL terminated. This has been fixed in chan_sip
and chan_pjsip in the applicable versions.
Discovery 2014-10-30 Entry 2014-12-11 Modified 2015-01-29 asterisk11
< 11.14.2
http://downloads.asterisk.org/pub/security/AST-2014-019.html
CVE-2014-9374
|
e60d9e65-3f6b-11e4-ad16-001999f8d30b | asterisk -- Remotely triggered crash
The Asterisk project reports:
When an out of call message - delivered by either the
SIP or PJSIP channel driver or the XMPP stack - is handled
in Asterisk, a crash can occur if the channel servicing
the message is sent into the ReceiveFax dialplan application
while using the res_fax_spandsp module.
Note that this crash does not occur when using the
res_fax_digium module. While this crash technically
occurs due to a configuration issue, as attempting to
receive a fax from a channel driver that only contains
textual information will never succeed, the likelihood
of having it occur is sufficiently high as to warrant
this advisory.
Discovery 2014-09-05 Entry 2014-09-18 asterisk11
< 11.12.1
http://downloads.asterisk.org/pub/security/AST-2014-010.pdf
https://issues.asterisk.org/jira/browse/ASTERISK-24301
https://www.asterisk.org/security
|
0c39bafc-6771-11e3-868f-0025905a4771 | asterisk -- multiple vulnerabilities
The Asterisk project reports:
A 16 bit SMS message that contains an odd message length value will
cause the message decoding loop to run forever. The message buffer is
not on the stack but will be overflowed resulting in corrupted memory
and an immediate crash.
External control protocols, such as the Asterisk Manager Interface,
often have the ability to get and set channel variables; this allows
the execution of dialplan functions. Dialplan functions within
Asterisk are incredibly powerful, which is wonderful for building
applications using Asterisk. But during the read or write execution,
certain diaplan functions do much more. For example, reading the SHELL()
function can execute arbitrary commands on the system Asterisk is
running on. Writing to the FILE() function can change any file that
Asterisk has write access to. When these functions are executed from an
external protocol, that execution could result in a privilege escalation.
Discovery 2013-12-16 Entry 2013-12-17 asterisk10
< 10.12.4
asterisk11
< 11.6.1
asterisk18
< 1.8.24.1
CVE-2013-7100
http://downloads.asterisk.org/pub/security/AST-2013-006.pdf
http://downloads.asterisk.org/pub/security/AST-2013-007.pdf
https://www.asterisk.org/security
|
559f3d1b-cb1d-11e5-80a4-001999f8d30b | asterisk -- Multiple vulnerabilities
The Asterisk project reports:
AST-2016-001 - BEAST vulnerability in HTTP server
AST-2016-002 - File descriptor exhaustion in chan_sip
AST-2016-003 - Remote crash vulnerability when receiving UDPTL FAX data
Discovery 2016-02-03 Entry 2016-02-04 Modified 2016-03-07 asterisk
< 1.8.32.3_5
asterisk11
< 11.21.1
asterisk13
< 13.7.1
http://downloads.asterisk.org/pub/security/AST-2016-001.html
CVE-2011-3389
http://downloads.asterisk.org/pub/security/AST-2016-002.html
CVE-2016-2316
http://downloads.asterisk.org/pub/security/AST-2016-003.html
CVE-2016-2232
|
fd2bf3b5-1001-11e3-ba94-0025905a4771 | asterisk -- multiple vulnerabilities
The Asterisk project reports:
Remote Crash From Late Arriving SIP ACK With SDP
Remote Crash when Invalid SDP is sent in SIP Request
Discovery 2013-08-27 Entry 2013-08-28 Modified 2013-08-29 asterisk11
> 11.* lt 11.5.1
asterisk10
> 10.* lt 10.12.3
asterisk18
> 1.8.* lt 1.8.21.1
CVE-2013-5641
CVE-2013-5642
http://downloads.asterisk.org/pub/security/AST-2013-004.html
http://downloads.asterisk.org/pub/security/AST-2013-005.html
https://www.asterisk.org/security
|
a92ed304-716c-11e4-b008-001999f8d30b | asterisk -- Multiple vulnerabilities
The Asterisk project reports:
AST-2014-012 - Mixed IP address families in access
control lists may permit unwanted traffic.
AST-2014-018 - AMI permission escalation through DB
dialplan function.
Discovery 2014-11-21 Entry 2014-11-21 asterisk
< 1.8.32.1
asterisk11
< 11.14.1
http://downloads.asterisk.org/pub/security/AST-2014-012.html
CVE-2014-8412
http://downloads.asterisk.org/pub/security/AST-2014-018.html
CVE-2014-8418
|
76c7a0f5-5928-11e4-adc7-001999f8d30b | asterisk -- Asterisk Susceptibility to POODLE Vulnerability
The Asterisk project reports:
The POODLE vulnerability is described under CVE-2014-3566.
This advisory describes the Asterisk's project susceptibility
to this vulnerability.
Discovery 2014-10-20 Entry 2014-10-21 asterisk
< 1.8.31.1
asterisk11
< 11.13.1
http://downloads.asterisk.org/pub/security/AST-2014-011.html
CVE-2014-3566
|
c2ea3b31-9d75-11e7-bb13-001999f8d30b | asterisk -- RTP/RTCP information leak
The Asterisk project reports:
This is a follow up advisory to AST-2017-005.
Insufficient RTCP packet validation could allow reading
stale buffer contents and when combined with the "nat"
and "symmetric_rtp" options allow redirecting where
Asterisk sends the next RTCP report.
The RTP stream qualification to learn the source address
of media always accepted the first RTP packet as the new
source and allowed what AST-2017-005 was mitigating. The
intent was to qualify a series of packets before accepting
the new source address.
The RTP/RTCP stack will now validate RTCP packets before processing them.
Discovery 2017-09-01 Entry 2017-09-19 asterisk11
< 11.25.3
asterisk13
< 13.17.2
https://downloads.asterisk.org/pub/security/AST-2017-008.html
CVE-2017-14099
|
5cb18881-7604-11e6-b362-001999f8d30b | asterisk -- RTP Resource Exhaustion
The Asterisk project reports:
The overlap dialing feature in chan_sip allows chan_sip
to report to a device that the number that has been dialed
is incomplete and more digits are required. If this
functionality is used with a device that has performed
username/password authentication RTP resources are leaked.
This occurs because the code fails to release the old RTP
resources before allocating new ones in this scenario.
If all resources are used then RTP port exhaustion will
occur and no RTP sessions are able to be set up.
If overlap dialing support is not needed the "allowoverlap"
option can be set to no. This will stop any usage of the
scenario which causes the resource exhaustion.
Discovery 2016-08-05 Entry 2016-09-08 asterisk11
< 11.23.1
asterisk13
< 13.11.1
http://downloads.asterisk.org/pub/security/AST-2016-007.html
|