Asterisk 13.13 < 13.13-cert4 / 13.x < 13.15.1 / 14.x < 14.4.1 Multiple Vulnerabilities (AST-2017-002 - AST-2017-004)

high Nessus Plugin ID 100386

Synopsis

A telephony application running on the remote host is affected by multiple vulnerabilities.

Description

According to its SIP banner, the version of Asterisk running on the remote host is 13.13 prior to 13.13-cert4, 13.x prior to 13.15.1, or 14.x prior to 14.4.1. Is it, therefore, affected by multiple vulnerabilities :

- An out-of-bounds read error exists in the multi-part body parser in PJSIP due to reading memory outside the allowed boundaries. An unauthenticated, remote attacker can exploit this, via specially crafted packets, to trigger an invalid read, resulting in a denial of service condition.

- A denial of service vulnerability exists in 'partial data' message logging when handling SCCP packets that have 'chan_skinny' enabled and that are larger than the length of the SCCP header but smaller than the packet length specified in the header. The loop that reads the rest of the packet fails to detect that the call to read() returned end-of-file before the expected number of bytes and therefore continues indefinitely. An unauthenticated, remote attacker can exploit this issue, via specially crafted packets, to exhaust all available memory.

- A denial of service vulnerability exists in the PJSIP RFC 2543 transaction key generation algorithm due to a failure to allocate a sufficiently large buffer when handling a SIP packet with a specially crafted CSeq header and a Via header with no branch parameter.
An unauthenticated, remote attacker can exploit this, via specially crafted packets, to overflow the buffer, resulting in memory corruption and an eventual crash.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Asterisk version 13.13-cert4 / 13.15.1 / 14.4.1 or later.

See Also

http://downloads.asterisk.org/pub/security/AST-2017-002.html

http://downloads.asterisk.org/pub/security/AST-2017-003.html

http://downloads.asterisk.org/pub/security/AST-2017-004.html

Plugin Details

Severity: High

ID: 100386

File Name: asterisk_ast_2017_002-004.nasl

Version: 1.8

Type: remote

Family: Misc.

Published: 5/24/2017

Updated: 4/11/2022

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus

Vulnerability Information

CPE: cpe:/a:digium:asterisk

Required KB Items: Settings/ParanoidReport, asterisk/sip_detected

Patch Publication Date: 5/19/2017

Vulnerability Publication Date: 5/19/2017