Asterisk Security Team
2017-May-19 21:54 UTC
[asterisk-users] AST-2017-002: Buffer Overrun in PJSIP transaction layer
Asterisk Project Security Advisory - AST-2017-002 Product Asterisk Summary Buffer Overrun in PJSIP transaction layer Nature of Advisory Buffer Overrun/Crash Susceptibility Remote Unauthenticated Sessions Severity Critical Exploits Known No Reported On 12 April, 2017 Reported By Sandro Gauci Posted On Last Updated On April 13, 2017 Advisory Contact Mark Michelson <mark DOT michelson AT digium DOT com> CVE Name Description A remote crash can be triggered by sending a SIP packet to Asterisk with a specially crafted CSeq header and a Via header with no branch parameter. The issue is that the PJSIP RFC 2543 transaction key generation algorithm does not allocate a large enough buffer. By overrunning the buffer, the memory allocation table becomes corrupted, leading to an eventual crash. This issue is in PJSIP, and so the issue can be fixed without performing an upgrade of Asterisk at all. However, we are releasing a new version of Asterisk with the bundled PJProject updated to include the fix. If you are running Asterisk with chan_sip, this issue does not affect you. Resolution A patch created by the Asterisk team has been submitted and accepted by the PJProject maintainers. Affected Versions Product Release Series Asterisk Open Source 11.x Unaffected Asterisk Open Source 13.x All versions Asterisk Open Source 14.x All versions Certified Asterisk 13.13 All versions Corrected In Product Release Asterisk Open Source 13.15.1, 14.4.1 Certified Asterisk 13.13-cert4 Patches SVN URL Revision Links https://issues.asterisk.org/jira/browse/ASTERISK-26938 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2017-002.pdf and http://downloads.digium.com/pub/security/AST-2017-002.html Revision History Date Editor Revisions Made 12 April, 2017 Mark Michelson Initial report created Asterisk Project Security Advisory - AST-2017-002 Copyright (c) 2017 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.