FreshPorts - VuXML

The Asterisk project reports:

Stack Overflow in HTTP Processing of Cookie Headers. Sending a HTTP request that is handled by Asterisk with a large number of Cookie headers could overflow the stack. You could even exhaust memory if you sent an unlimited number of headers in the request.

Denial of Service Through File Descriptor Exhaustion with chan_sip Session-Timers. An attacker can use all available file descriptors using SIP INVITE requests. Asterisk will respond with code 400, 420, or 422 for INVITEs meeting this criteria. Each INVITE meeting these conditions will leak a channel and several file descriptors. The file descriptors cannot be released without restarting Asterisk which may allow intrusion detection systems to be bypassed by sending the requests slowly.

Remote Crash Vulnerability in PJSIP channel driver. A remotely exploitable crash vulnerability exists in the PJSIP channel driver if the "qualify_frequency" configuration option is enabled on an AOR and the remote SIP server challenges for authentication of the resulting OPTIONS request. The response handling code wrongly assumes that a PJSIP endpoint will always be associated with an outgoing request which is incorrect.

< 11.8.1

< 1.8.26.1

The Asterisk project reports:

A 16 bit SMS message that contains an odd message length value will cause the message decoding loop to run forever. The message buffer is not on the stack but will be overflowed resulting in corrupted memory and an immediate crash.

External control protocols, such as the Asterisk Manager Interface, often have the ability to get and set channel variables; this allows the execution of dialplan functions. Dialplan functions within Asterisk are incredibly powerful, which is wonderful for building applications using Asterisk. But during the read or write execution, certain diaplan functions do much more. For example, reading the SHELL() function can execute arbitrary commands on the system Asterisk is running on. Writing to the FILE() function can change any file that Asterisk has write access to. When these functions are executed from an external protocol, that execution could result in a privilege escalation.

< 10.12.4

< 11.6.1

< 1.8.24.1

Asterisk project reports:

Stack Buffer Overflow in HTTP Manager

Remote Crash Vulnerability in Milliwatt Application

gt 1.4.* lt 1.4.44

gt 1.6.* lt 1.6.2.23

gt 1.8.* lt 1.8.10.1

gt 10.* lt 10.2.1

The Asterisk project reports:

Given a scenario where an outgoing call is placed from Asterisk to a remote SIP server it is possible for a crash to occur.

< 13.38.2

< 16.16.1

< 18.2.1

Asterisk project reports:

Remote Crash Vulnerability in SIP Channel Driver

Heap Buffer Overflow in Skinny Channel Driver

Asterisk Manager User Unauthorized Shell Access

gt 1.6.* lt 1.6.2.24

gt 1.8.* lt 1.8.11.1

gt 10.* lt 10.3.1

The Asterisk project reports:

If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate (even if the call is hung up), ultimately leading to a restart or shutdown of Asterisk. Outbound authentication must be configured on the endpoint for this to occur.

< 13.37.1

< 16.14.1

< 18.0.1

The Asterisk Development Team reports:

If a remote user initiates a SIP call and the recipient picks up, the remote user can reply with a malformed Contact header that Asterisk will improperly handle and cause a crash due to a segmentation fault.

gt 1.8.* lt 1.8.4.2

Asterisk project reports:

Remote crash vulnerability in IAX2 channel driver.

Skinny Channel Driver Remote Crash Vulnerability

gt 1.6.* le 1.6.2.24

gt 1.8.* lt 1.8.12.1

gt 10.* lt 10.4.1

The Asterisk Development Team reports:

It is possible for a user of the Asterisk Manager Interface to bypass a security check and execute shell commands when they should not have that ability. Sending the "Async" header with the "Application" header during an Originate action, allows authenticated manager users to execute shell commands. Only users with the "system" privilege should be able to do this.

On systems that have the Asterisk Manager Interface, Skinny, SIP over TCP, or the built in HTTP server enabled, it is possible for an attacker to open as many connections to asterisk as he wishes. This will cause Asterisk to run out of available file descriptors and stop processing any new calls. Additionally, disk space can be exhausted as Asterisk logs failures to open new file descriptors.

gt 1.4.* lt 1.4.40.1

gt 1.6.* lt 1.6.2.17.3

gt 1.8.* lt 1.8.3.3

The Asterisk Development Team reports:

AST-2011-008: If a remote user sends a SIP packet containing a NULL, Asterisk assumes available data extends past the null to the end of the packet when the buffer is actually truncated when copied. This causes SIP header parsing to modify data past the end of the buffer altering unrelated memory structures. This vulnerability does not affect TCP/TLS connections.

AST-2011-009: A remote user sending a SIP packet containing a Contact header with a missing left angle bracket causes Asterisk to access a null pointer.

AST-2011-010: A memory address was inadvertently transmitted over the network via IAX2 via an option control frame and the remote party would try to access it.

Possible enumeration of SIP users due to differing authentication responses.

gt 1.4.* lt 1.4.41.2

gt 1.6.* lt 1.6.2.18.2

gt 1.8.* lt 1.8.4.4

Asterisk project reports:

Possible resource leak on uncompleted re-invite transactions.

Remote crash vulnerability in voice mail application.

gt 10.* lt 10.5.2

gt 1.8.* lt 1.8.13.1

Asterisk project reports:

Asterisk Manager User Unauthorized Shell Access

ACL rules ignored when placing outbound calls by certain IAX2 users

gt 10.* lt 10.7.1

gt 1.8.* lt 1.8.15.1

The Asterisk project reports:

Depending on the timing, it's possible for Asterisk to crash when using a TLS connection if the underlying socket parent/listener gets destroyed during the handshake.

< 13.38.3

< 16.19.1

< 18.5.1

The Asterisk Development Team reports:

The releases of Asterisk 1.4.38.1, 1.4.39.1, 1.6.1.21, 1.6.2.15.1, 1.6.2.16.2, 1.8.1.2, and 1.8.2.1 resolve an issue when forming an outgoing SIP request while in pedantic mode, which can cause a stack buffer to be made to overflow if supplied with carefully crafted caller ID information. The issue and resolution are described in the AST-2011-001 security advisory.

gt 1.4.* lt 1.4.39.1

gt 1.6.* lt 1.6.2.16.1

gt 1.8.* lt 1.8.2.2

The Asterisk project reports:

An unauthenticated remote attacker could replay SRTP packets which could cause an Asterisk instance configured without strict RTP validation to tear down calls prematurely.

ge 13.38.1 lt 13.38.2

ge 16.16.0 lt 16.16.1

ge 18.2.0 lt 18.2.1

The Asterisk Development Team reports:

The releases of Asterisk 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4 resolve an issue that when decoding UDPTL packets, multiple heap based arrays can be made to overflow by specially crafted packets. Systems configured for T.38 pass through or termination are vulnerable. The issue and resolution are described in the AST-2011-002 security advisory.

gt 1.4.* lt 1.4.39.2

gt 1.6.* lt 1.6.2.16.2

gt 1.8.* lt 1.8.2.4

The Asterisk project reports:

AST-2020-003: A crash can occur in Asterisk when a SIP message is received that has a History-Info header, which contains a tel-uri.

AST-2020-004: A crash can occur in Asterisk when a SIP 181 response is received that has a Diversion header, which contains a tel-uri.

< 13.38.1

< 16.15.1

< 18.1.1

The Asterisk project reports:

AST-2022-001 - When using STIR/SHAKEN, its possible to download files that are not certificates. These files could be much larger than what you would expect to download.

AST-2022-002 - When using STIR/SHAKEN, its possible to send arbitrary requests like GET to interfaces such as localhost using the Identity header.

gt 16.15.0 lt 16.25.2

< 18.11.2

The Asterisk project reports:

AST-2022-004 - The header length on incoming STUN messages that contain an ERROR-CODE attribute is not properly checked. This can result in an integer underflow. Note, this requires ICE or WebRTC support to be in use with a malicious remote party.

AST-2022-005 - When acting as a UAC, and when placing an outgoing call to a target that then forks Asterisk may experience undefined behavior (crashes, hangs, etc) after a dialog set is prematurely freed.

AST-2022-006 - If an incoming SIP message contains a malformed multi-part body an out of bounds read access may occur, which can result in undefined behavior. Note, its currently uncertain if there is any externally exploitable vector within Asterisk for this issue, but providing this as a security issue out of caution.

< 16.24.1

< 18.10.1

The Asterisk project reports:

Upon receiving a new SIP Invite, Asterisk did not return the created dialog locked or referenced. This caused a gap between the creation of the dialog object, and its next use by the thread that created it. Depending upon some off nominal circumstances, and timing it was possible for another thread to free said dialog in this gap. Asterisk could then crash when the dialog object, or any of its dependent objects were de-referenced, or accessed next by the initial creation thread.

< 13.37.1

< 16.14.1

< 18.0.1

The Asterisk project reports:

When Asterisk sends a re-invite initiating T.38 faxing and the endpoint responds with a m=image line and zero port, a crash will occur in Asterisk. This is a reoccurrence of AST-2019-004.

< 16.16.2

< 18.2.2

The Asterisk project reports:

Some databases can use backslashes to escape certain characters, such as backticks. If input is provided to func_odbc which includes backslashes it is possible for func_odbc to construct a broken SQL query and the SQL query to fail.

< 16.25.2

< 18.11.2

Asterisk project reports:

A remote authenticated user can cause a crash with a malformed request due to an unitialized variable.

gt 1.8.* lt 1.8.7.1

gt 10.0.0.* lt 10.0.0.r1

The Asterisk project reports:

If a registered user is tricked into dialing a malicious number that sends lots of 181 responses to Asterisk, each one will cause a 181 to be sent back to the original caller with an increasing number of entries in the "Supported" header. Eventually the number of entries in the header exceeds the size of the entry array and causes a crash.

ge 13.38.1 lt 13.38.2

ge 16.15.1 lt 16.16.1

ge 18.1.1 lt 18.2.1

Asterisk project reports:

It is possible to enumerate SIP usernames when the general and user/peer NAT settings differ in whether to respond to the port a request is sent from or the port listed for responses in the Via header.

When the "automon" feature is enabled in features.conf, it is possible to send a sequence of SIP requests that cause Asterisk to dereference a NULL pointer and crash.

< 1.8.7.2

< 1.6.2.21

The Asterisk Development Team reports:

The releases of Asterisk 1.6.1.23, 1.6.2.17.1, and 1.8.3.1 resolve two issues:

• Resource exhaustion in Asterisk Manager Interface (AST-2011-003)
• Remote crash vulnerability in TCP/TLS server (AST-2011-004)

The issues and resolutions are described in the AST-2011-003 and AST-2011-004 security advisories.

gt 1.6.* lt 1.6.2.17.1

gt 1.8.* lt 1.8.3.1

The Asterisk project reports:

Due to a signedness comparison mismatch, an authenticated WebRTC client could cause a stack overflow and Asterisk crash by sending multiple hold/unhold requests in quick succession.

ge 16.16.0 lt 16.16.1

ge 18.2.0 lt 18.2.1

Asterisk project reports:

Buffer Overflow Exploit Through SIP SDP Header

Username disclosure in SIP channel driver

Denial of Service in HTTP server

gt 11.* lt 11.2.2

gt 10.* lt 10.12.2

gt 1.8.* lt 1.8.20.2

Asterisk project reports:

An attacker attempting to negotiate a secure video stream can crash Asterisk if video support has not been enabled and the res_srtp Asterisk module is loaded.

< 1.8.8.2

< 10.0.1

The Asterisk project reports:

When re-negotiating for T.38 if the initial remote response was delayed just enough Asterisk would send both audio and T.38 in the SDP. If this happened, and the remote responded with a declined T.38 stream then Asterisk would crash.

ge 16.15.0 lt 16.16.1

ge 18.1.0 lt 18.2.1

The Asterisk project reports:

Asterisk Manager User Unauthorized Shell Access. Manager users can execute arbitrary shell commands with the MixMonitor manager action. Asterisk does not require system class authorization for a manager user to use the MixMonitor action, so any manager user who is permitted to use manager commands can potentially execute shell commands as the user executing the Asterisk process.

Exhaustion of Allowed Concurrent HTTP Connections. Establishing a TCP or TLS connection to the configured HTTP or HTTPS port respectively in http.conf and then not sending or completing a HTTP request will tie up a HTTP session. By doing this repeatedly until the maximum number of open HTTP sessions is reached, legitimate requests are blocked.

< 11.10.1

< 1.8.28.1

Asterisk project reports:

Crashes due to large stack allocations when using TCP

Denial of Service Through Exploitation of Device State Caching

gt 11.* lt 11.1.2

gt 10.* lt 10.11.1

gt 1.8.* lt 1.8.19.1

The Asterisk project reports:

If the IAX2 channel driver receives a packet that contains an unsupported media format it can cause a crash to occur in Asterisk.

< 13.38.3

< 16.19.1

< 18.5.1

The Asterisk project reports:

Remote Crash From Late Arriving SIP ACK With SDP

Remote Crash when Invalid SDP is sent in SIP Request

gt 11.* lt 11.5.1

gt 10.* lt 10.12.3

gt 1.8.* lt 1.8.21.1

The Asterisk project reports:

When Asterisk receives a re-INVITE without SDP after having sent a BYE request a crash will occur. This occurs due to the Asterisk channel no longer being present while code assumes it is.

ge 16.17.0 lt 16.19.1

ge 18.3.0 lt 18.5.1