Asterisk Security Team
2013-Mar-27 20:55 UTC
[asterisk-announce] AST-2013-002: Denial of Service in HTTP server
Asterisk Project Security Advisory - AST-2013-002
Product Asterisk
Summary Denial of Service in HTTP server
Nature of Advisory Denial of Service
Susceptibility Remote Unauthenticated Sessions
Severity Major
Exploits Known None
Reported On January 21, 2013
Reported By Christoph Hebeisen, TELUS Security Labs
Posted On March 27, 2013
Last Updated On March 27, 2013
Advisory Contact Mark Michelson <mmichelson AT digium DOT com>
CVE Name CVE-2013-2686
Description AST-2012-014 [1], fixed in January of this year, contained a
fix for Asterisk's HTTP server since it was susceptible to a
remotely-triggered crash.
The fix put in place fixed the possibility for the crash to be
triggered, but a possible denial of service still exists if an
attacker sends one or more HTTP POST requests with very large
Content-Length values.
[1]
http://downloads.asterisk.org/pub/security/AST-2012-014.html
Resolution Content-Length is now capped at a maximum value of 1024
bytes. Any attempt to send an HTTP POST with content-length
greater than this cap will not result in any memory
allocated. The POST will be responded to with an HTTP 413
"Request Entity Too Large" response.
Affected Versions
Product Release Series
Asterisk Open Source 1.8.x 1.8.19.1, 1.8.20.0, 1.8.20.1
Asterisk Open Source 10.x 10.11.1, 10.12.0, 10.12.1
Asterisk Open Source 11.x 11.1.2, 11.2.0, 11.2.1
Certified Asterisk 1.8.15 1.8.15-cert1
Asterisk Digiumphones 10.x-digiumphones 10.11.1-digiumphones,
10.12.0-digiumphones,
10.12.1-digiumphones
Corrected In
Product Release
Asterisk Open Source 1.8.20.2, 10.12.2, 11.2.2
Certified Asterisk 1.8.15-cert2
Asterisk Digiumphones 10.12.2-digiumphones
Patches
SVN URL
Revision
http://downloads.asterisk.org/pub/security/AST-2012-014-1.8.diff
Asterisk
1.8
http://downloads.asterisk.org/pub/security/AST-2012-014-10.diff
Asterisk
10
http://downloads.asterisk.org/pub/security/AST-2012-014-11.diff
Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2012-014-1.8.15-cert.diff
Certified
Asterisk
1.8.15
+------------------------------------------------------------------------+
| Links | https://issues.asterisk.org/jira/browse/ASTERISK-20967 |
| | http://telussecuritylabs.com/threats/show/TSL20130327-01 |
+------------------------------------------------------------------------+
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2013-002.pdf and
http://downloads.digium.com/pub/security/AST-2013-002.html
Revision History
Date Editor Revisions Made
February 12, 2013 Mark Michelson Initial Draft
March 27, 2013 Matt Jordan Updated CVE
Asterisk Project Security Advisory - AST-2013-002
Copyright (c) 2013 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
Maybe Matching Threads
- AST-2013-002: Denial of Service in HTTP server
- Asterisk 1.8.15-cert2, 1.8.20.2, 10.12.2, 10.12.2-digiumphones, 11.2.2 Now Available (Security Release)
- Asterisk 1.8.15-cert2, 1.8.20.2, 10.12.2, 10.12.2-digiumphones, 11.2.2 Now Available (Security Release)
- AST-2012-015: Denial of Service Through Exploitation of Device State Caching
- AST-2013-005: Remote Crash when Invalid SDP is sent in SIP Request
Wisdom of the Ancients
