Asterisk Security Team
2016-Sep-08 20:52 UTC
[asterisk-users] AST-2016-006: Crash on ACK from unknown endpoint
Asterisk Project Security Advisory - AST-2016-006
Product Asterisk
Summary Crash on ACK from unknown endpoint
Nature of Advisory Remote Crash
Susceptibility Remote unauthenticated sessions
Severity Critical
Exploits Known No
Reported On August 3, 2016
Reported By Nappsoft
Posted On
Last Updated On August 31, 2016
Advisory Contact mark DOT michelson AT digium DOT com
CVE Name
Description Asterisk can be crashed remotely by sending an ACK to it
from an endpoint username that Asterisk does not recognize.
Most SIP request types result in an "artificial"
endpoint
being looked up, but ACKs bypass this lookup. The resulting
NULL pointer results in a crash when attempting to
determine if ACLs should be applied.
This issue was introduced in the Asterisk 13.10 release and
only affects that release.
This issue only affects users using the PJSIP stack with
Asterisk. Those users that use chan_sip are unaffected.
Resolution ACKs now result in an artificial endpoint being looked up
just like other SIP request types.
Affected Versions
Product Release
Series
Asterisk Open Source 11.x Unaffected
Asterisk Open Source 13.x 13.10.0
Certified Asterisk 11.6 Unaffected
Certified Asterisk 13.8 Unaffected
Corrected In
Product Release
Asterisk Open Source 13.11.1
Patches
SVN URL Revision
Links
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2016-006.pdf and
http://downloads.digium.com/pub/security/AST-2016-006.html
Revision History
Date Editor Revisions Made
August 16, 2016 Mark Michelson Initial draft of Advisory
Asterisk Project Security Advisory - AST-2016-006
Copyright (c) 2016 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.