VuXML ID | Description |
c599f95c-8ee5-11e7-8be8-001999f8d30b | asterisk -- Unauthorized data disclosure and shell access command injection in app_minivm
The Asterisk project reports:
AST-2017-005 - A change was made to the strict RTP
support in the RTP stack to better tolerate late media
when a reinvite occurs. When combined with the symmetric
RTP support this introduced an avenue where media could
be hijacked. Instead of only learning a new address when
expected the new code allowed a new source address to be
learned at all times.
AST-2017-006 - The app_minivm module has an "externnotify"
program configuration option that is executed by the
MinivmNotify dialplan application. The application uses
the caller-id name and number as part of a built string
passed to the OS shell for interpretation and execution.
Since the caller-id name and number can come from an
untrusted source, a crafted caller-id name or number
allows an arbitrary shell command injection.
Discovery 2017-08-31 Entry 2017-09-01 asterisk11
< 11.25.2
asterisk13
< 13.17.1
https://downloads.asterisk.org/pub/security/AST-2017-005.html
CVE-2017-14099
https://downloads.asterisk.org/pub/security/AST-2017-006.html
CVE-2017-14100
|
7bfd797c-716d-11e4-b008-001999f8d30b | asterisk -- Multiple vulnerabilities
The Asterisk project reports:
AST-2014-014 - High call load may result in hung
channels in ConfBridge.
AST-2014-017 - Permission escalation through ConfBridge
actions/dialplan functions.
Discovery 2014-11-21 Entry 2014-11-21 asterisk11
< 11.14.1
http://downloads.asterisk.org/pub/security/AST-2014-014.html
CVE-2014-8414
http://downloads.asterisk.org/pub/security/AST-2014-017.html
CVE-2014-8417
|
a92ed304-716c-11e4-b008-001999f8d30b | asterisk -- Multiple vulnerabilities
The Asterisk project reports:
AST-2014-012 - Mixed IP address families in access
control lists may permit unwanted traffic.
AST-2014-018 - AMI permission escalation through DB
dialplan function.
Discovery 2014-11-21 Entry 2014-11-21 asterisk
< 1.8.32.1
asterisk11
< 11.14.1
http://downloads.asterisk.org/pub/security/AST-2014-012.html
CVE-2014-8412
http://downloads.asterisk.org/pub/security/AST-2014-018.html
CVE-2014-8418
|
559f3d1b-cb1d-11e5-80a4-001999f8d30b | asterisk -- Multiple vulnerabilities
The Asterisk project reports:
AST-2016-001 - BEAST vulnerability in HTTP server
AST-2016-002 - File descriptor exhaustion in chan_sip
AST-2016-003 - Remote crash vulnerability when receiving UDPTL FAX data
Discovery 2016-02-03 Entry 2016-02-04 Modified 2016-03-07 asterisk
< 1.8.32.3_5
asterisk11
< 11.21.1
asterisk13
< 13.7.1
http://downloads.asterisk.org/pub/security/AST-2016-001.html
CVE-2011-3389
http://downloads.asterisk.org/pub/security/AST-2016-002.html
CVE-2016-2316
http://downloads.asterisk.org/pub/security/AST-2016-003.html
CVE-2016-2232
|
94268da0-8118-11e4-a180-001999f8d30b | asterisk -- Remote Crash Vulnerability in WebSocket Server
The Asterisk project reports:
When handling a WebSocket frame the res_http_websocket
module dynamically changes the size of the memory used
to allow the provided payload to fit. If a payload length
of zero was received the code would incorrectly attempt
to resize to zero. This operation would succeed and end
up freeing the memory but be treated as a failure. When
the session was subsequently torn down this memory would
get freed yet again causing a crash.
Users of the WebSocket functionality also did not take
into account that provided text frames are not guaranteed
to be NULL terminated. This has been fixed in chan_sip
and chan_pjsip in the applicable versions.
Discovery 2014-10-30 Entry 2014-12-11 Modified 2015-01-29 asterisk11
< 11.14.2
http://downloads.asterisk.org/pub/security/AST-2014-019.html
CVE-2014-9374
|
5cb18881-7604-11e6-b362-001999f8d30b | asterisk -- RTP Resource Exhaustion
The Asterisk project reports:
The overlap dialing feature in chan_sip allows chan_sip
to report to a device that the number that has been dialed
is incomplete and more digits are required. If this
functionality is used with a device that has performed
username/password authentication RTP resources are leaked.
This occurs because the code fails to release the old RTP
resources before allocating new ones in this scenario.
If all resources are used then RTP port exhaustion will
occur and no RTP sessions are able to be set up.
If overlap dialing support is not needed the "allowoverlap"
option can be set to no. This will stop any usage of the
scenario which causes the resource exhaustion.
Discovery 2016-08-05 Entry 2016-09-08 asterisk11
< 11.23.1
asterisk13
< 13.11.1
http://downloads.asterisk.org/pub/security/AST-2016-007.html
|
5fee3f02-de37-11e4-b7c3-001999f8d30b | asterisk -- TLS Certificate Common name NULL byte exploit
The Asterisk project reports:
When Asterisk registers to a SIP TLS device and and
verifies the server, Asterisk will accept signed certificates
that match a common name other than the one Asterisk is
expecting if the signed certificate has a common name
containing a null byte after the portion of the common
name that Asterisk expected. For example, if Asterisk is
trying to register to www.domain.com, Asterisk will accept
certificates of the form
www.domain.com\x00www.someotherdomain.com
Discovery 2015-04-04 Entry 2015-04-08 asterisk
< 1.8.32.3
asterisk11
< 11.17.1
asterisk13
< 13.3.2
http://downloads.asterisk.org/pub/security/AST-2015-003.html
CVE-2015-3008
|
76c7a0f5-5928-11e4-adc7-001999f8d30b | asterisk -- Asterisk Susceptibility to POODLE Vulnerability
The Asterisk project reports:
The POODLE vulnerability is described under CVE-2014-3566.
This advisory describes the Asterisk's project susceptibility
to this vulnerability.
Discovery 2014-10-20 Entry 2014-10-21 asterisk
< 1.8.31.1
asterisk11
< 11.13.1
http://downloads.asterisk.org/pub/security/AST-2014-011.html
CVE-2014-3566
|
7656fc62-a7a7-11e4-96ba-001999f8d30b | asterisk -- Mitigation for libcURL HTTP request injection vulnerability
The Asterisk project reports:
CVE-2014-8150 reported an HTTP request injection
vulnerability in libcURL. Asterisk uses libcURL in its
func_curl.so module (the CURL() dialplan function), as
well as its res_config_curl.so (cURL realtime backend)
modules.
Since Asterisk may be configured to allow for user-supplied
URLs to be passed to libcURL, it is possible that an
attacker could use Asterisk as an attack vector to inject
unauthorized HTTP requests if the version of libcURL
installed on the Asterisk server is affected by
CVE-2014-8150.
Discovery 2015-01-12 Entry 2015-01-29 asterisk
< 1.8.32.2
asterisk11
< 11.15.1
asterisk13
< 13.1.1
http://downloads.asterisk.org/pub/security/AST-2015-002.html
|
c2ea3b31-9d75-11e7-bb13-001999f8d30b | asterisk -- RTP/RTCP information leak
The Asterisk project reports:
This is a follow up advisory to AST-2017-005.
Insufficient RTCP packet validation could allow reading
stale buffer contents and when combined with the "nat"
and "symmetric_rtp" options allow redirecting where
Asterisk sends the next RTCP report.
The RTP stream qualification to learn the source address
of media always accepted the first RTP packet as the new
source and allowed what AST-2017-005 was mitigating. The
intent was to qualify a series of packets before accepting
the new source address.
The RTP/RTCP stack will now validate RTCP packets before processing them.
Discovery 2017-09-01 Entry 2017-09-19 asterisk11
< 11.25.3
asterisk13
< 13.17.2
https://downloads.asterisk.org/pub/security/AST-2017-008.html
CVE-2017-14099
|
c0b13887-be44-11e6-b04f-001999f8d30b | asterisk -- Authentication Bypass
The Asterisk project reports:
The chan_sip channel driver has a liberal definition
for whitespace when attempting to strip the content between
a SIP header name and a colon character. Rather than
following RFC 3261 and stripping only spaces and horizontal
tabs, Asterisk treats any non-printable ASCII character
as if it were whitespace.
This mostly does not pose a problem until Asterisk is
placed in tandem with an authenticating SIP proxy. In
such a case, a crafty combination of valid and invalid
To headers can cause a proxy to allow an INVITE request
into Asterisk without authentication since it believes
the request is an in-dialog request. However, because of
the bug described above, the request will look like an
out-of-dialog request to Asterisk. Asterisk will then
process the request as a new call. The result is that
Asterisk can process calls from unvetted sources without
any authentication.
If you do not use a proxy for authentication, then
this issue does not affect you.
If your proxy is dialog-aware (meaning that the proxy
keeps track of what dialogs are currently valid), then
this issue does not affect you.
If you use chan_pjsip instead of chan_sip, then this
issue does not affect you.
Discovery 2016-11-28 Entry 2016-12-09 asterisk11
< 11.25.1
asterisk13
< 13.13.1
http://downloads.digium.com/pub/security/ASTERISK-2016-009.html
|