channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1, and 12.1.x before 12.1.1, and Certified Asterisk 1.8.15 before 1.8.15-cert5 and 11.6 before 11.6-cert2, when chan_sip has a certain configuration, allows remote authenticated users to cause a denial of service (channel and file descriptor consumption) via an INVITE request with a (1) Session-Expires or (2) Min-SE header with a malformed or invalid value.

Brad Barnett found that the recent security update of Asterisk could cause immediate SIP termination due to an incomplete fix for CVE-2014-2287.

For Debian 7 'Wheezy', these problems have been fixed in version 1:1.8.13.1~dfsg1-3+deb7u6.

We recommend that you upgrade your asterisk packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201405-05 (Asterisk: Denial of Service)

    Multiple vulnerabilities have been discovered in Asterisk. Please review       the CVE identifiers and Asterisk Project Security Advisories referenced       below for details.
  Impact :

    A remote attacker could possibly cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

Multiple vulnerabilities has been discovered and corrected in asterisk :

Sending a HTTP request that is handled by Asterisk with a large number of Cookie headers could overflow the stack. You could even exhaust memory if you sent an unlimited number of headers in the request (CVE-2014-2286).

An attacker can use all available file descriptors using SIP INVITE requests. Asterisk will respond with code 400, 420, or 422 for INVITEs meeting this criteria. Each INVITE meeting these conditions will leak a channel and several file descriptors. The file descriptors cannot be released without restarting Asterisk which may allow intrusion detection systems to be bypassed by sending the requests slowly (CVE-2014-2287).

The updated packages has been upgraded to the 11.8.1 version which is not vulnerable to these issues.

The Asterisk Development Team has announced security releases for Certified Asterisk 1.8.15, 11.6, and Asterisk 1.8, 11, and 12. The available security releases are released as versions 1.8.15-cert5, 11.6-cert2, 1.8.26.1, 11.8.1, and 12.1.1.

These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of these versions resolve the following issues :

  - AST-2014-001: Stack overflow in HTTP processing of     Cookie headers.

    Sending a HTTP request that is handled by Asterisk with     a large number of Cookie headers could overflow the     stack.

    Another vulnerability along similar lines is any HTTP     request with a ridiculous number of headers in the     request could exhaust system memory.

  - AST-2014-002: chan_sip: Exit early on bad session timers     request

    This change allows chan_sip to avoid creation of the     channel and consumption of associated file descriptors     altogether if the inbound request is going to be     rejected anyway.

Additionally, the release of 12.1.1 resolves the following issue :

  - AST-2014-003: res_pjsip: When handling 401/407 responses     don't assume a request will have an endpoint.

    This change removes the assumption that an outgoing     request will always have an endpoint and makes the     authenticate_qualify option work once again.

Finally, a security advisory, AST-2014-004, was released for a vulnerability fixed in Asterisk 12.1.0. Users of Asterisk 12.0.0 are encouraged to upgrade to 12.1.1 to resolve both vulnerabilities.

These issues and their resolutions are described in the security advisories.

For more information about the details of these vulnerabilities, please read security advisories AST-2014-001, AST-2014-002, AST-2014-003, and AST-2014-004, which were released at the same time as this announcement.

For a full list of changes in the current releases, please see the ChangeLogs :

http://downloads.asterisk.org/pub/telephony/certified-asterisk/release s/ChangeLog-1.8.15-cert5 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-1.8.26.1 http://downloads.asterisk.org/pub/telephony/certified-asterisk/release s/ChangeLog-11.6-cert2 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-11.8.1 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-12.1.1

The security advisories are available at :

  -     http://downloads.asterisk.org/pub/security/AST-2014-001.
    pdf

    -       http://downloads.asterisk.org/pub/security/AST-2014-00       2.pdf

    -       http://downloads.asterisk.org/pub/security/AST-2014-00       3.pdf

    -       http://downloads.asterisk.org/pub/security/AST-2014-00       4.pdf The Asterisk Development Team has announced the       release of Asterisk 11.8.0. This release is available       for immediate download at       http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 11.8.0 resolves several issues reported by the community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release :

Bugs fixed in this release :

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the version in its SIP banner, the version of Asterisk running on the remote host is potentially affected by a denial of service vulnerability. 

A denial of service flaw exists with the SIP INVITE request handling. It is possible for a remote attacker to use all available file descriptors using SIP INVITE requests.  These file descriptors cannot be released without restarting Asterisk, which could allow an attacker to bypass intrusion detection systems. 

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Asterisk project reports :

Stack Overflow in HTTP Processing of Cookie Headers. Sending a HTTP request that is handled by Asterisk with a large number of Cookie headers could overflow the stack. You could even exhaust memory if you sent an unlimited number of headers in the request.

Denial of Service Through File Descriptor Exhaustion with chan_sip Session-Timers. An attacker can use all available file descriptors using SIP INVITE requests. Asterisk will respond with code 400, 420, or 422 for INVITEs meeting this criteria. Each INVITE meeting these conditions will leak a channel and several file descriptors. The file descriptors cannot be released without restarting Asterisk which may allow intrusion detection systems to be bypassed by sending the requests slowly.

Remote Crash Vulnerability in PJSIP channel driver. A remotely exploitable crash vulnerability exists in the PJSIP channel driver if the 'qualify_frequency' configuration option is enabled on an AOR and the remote SIP server challenges for authentication of the resulting OPTIONS request. The response handling code wrongly assumes that a PJSIP endpoint will always be associated with an outgoing request which is incorrect.

ID	Name	Product	Family	Severity
96459	Debian DLA-781-2 : asterisk regression update	Nessus	Debian Local Security Checks	low
73861	GLSA-201405-05 : Asterisk: Denial of Service	Nessus	Gentoo Local Security Checks	high
73582	Mandriva Linux Security Advisory : asterisk (MDVSA-2014:078)	Nessus	Mandriva Local Security Checks	high
73142	Fedora 19 : asterisk-11.8.1-1.fc19 (2014-3779)	Nessus	Fedora Local Security Checks	high
73141	Fedora 20 : asterisk-11.8.1-1.fc20 (2014-3762)	Nessus	Fedora Local Security Checks	high
73020	Asterisk SIP File Descriptor Exhaustion with chan_sip Session-Timers DoS (AST-2014-002)	Nessus	Misc.	low
72953	FreeBSD : asterisk -- multiple vulnerabilities (03159886-a8a3-11e3-8f36-0025905a4771)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2014-2287

medium

Tenable Plugins

low

high

high

high

high

low

high