Asterisk Security Team
2022-Apr-14 22:57 UTC
[asterisk-announce] AST-2022-001: res_stir_shaken: resource exhaustion with large files
Asterisk Project Security Advisory - AST-2022-001 Product Asterisk Summary res_stir_shaken: resource exhaustion with large files Nature of Advisory Resource exhaustion Susceptibility Remote unauthenticated access Severity Major Exploits Known No Reported On Jan 21, 2022 Reported By Ben Ford Posted On Apr 14, 2022 Last Updated On April 13, 2022 Advisory Contact bford AT sangoma DOT com CVE Name CVE-2022-26498 Description When using STIR/SHAKEN, it’s possible to download files that are not certificates. These files could be much larger than what you would expect to download. Modules Affected res_stir_shaken Resolution If you are using STIR/SHAKEN in Asterisk, upgrade to one of the versions listed below. Asterisk now checks the downloaded file to see if it’s actually a certificate or if it is larger than what is expected. If not upgrading, the curl_timeout option in stir_shaken.conf should be utilized so that downloads do not last an extended period of time. Affected Versions Product Release Series Asterisk Open Source 16.x 16.15.0 and after Asterisk Open Source 18.x All versions Asterisk Open Source 19.x All versions Corrected In Product Release Asterisk Open Source 16.25.2, 18.11.2, 19.3.2 Patches Patch URL Revision https://downloads.digium.com/pub/security/AST-2022-001-16.diff Asterisk 16 https://downloads.digium.com/pub/security/AST-2022-001-18.diff Asterisk 18 https://downloads.digium.com/pub/security/AST-2022-001-19.diff Asterisk 19 Links https://issues.asterisk.org/jira/browse/ASTERISK-29872 https://downloads.asterisk.org/pub/security/AST-2022-001.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2022-001.pdf and https://downloads.digium.com/pub/security/AST-2022-001.html Revision History Date Editor Revisions Made Apr 13, 2022 Ben Ford Initial revision Asterisk Project Security Advisory - AST-2022-001 Copyright © 01/19/2022 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.