VuXML ID | Description |
0537afa3-3ce0-11e7-bf9d-001999f8d30b | asterisk -- Buffer Overrun in PJSIP transaction layer
The Asterisk project reports:
A remote crash can be triggered by sending a SIP packet
to Asterisk with a specially crafted CSeq header and a
Via header with no branch parameter. The issue is that
the PJSIP RFC 2543 transaction key generation algorithm
does not allocate a large enough buffer. By overrunning
the buffer, the memory allocation table becomes corrupted,
leading to an eventual crash.
The multi-part body parser in PJSIP contains a logical
error that can make certain multi-part body parts attempt
to read memory from outside the allowed boundaries. A
specially-crafted packet can trigger these invalid reads
and potentially induce a crash.
This issues is in PJSIP, and so the issue can be fixed
without performing an upgrade of Asterisk at all. However,
we are releasing a new version of Asterisk with the bundled
PJProject updated to include the fix.
If you are running Asterisk with chan_sip, this issue
does not affect you.
Discovery 2017-04-12 Entry 2017-05-19 asterisk13
< 13.15.1
pjsip
< 2.6_1
pjsip-extsrtp
< 2.6_1
http://downloads.asterisk.org/pub/security/AST-2017-002.html
http://downloads.asterisk.org/pub/security/AST-2017-003.html
|
e91cf90c-d6dd-11e7-9d10-001999f8d30b | asterisk -- DOS Vulnerability in Asterisk chan_skinny
The Asterisk project reports:
If the chan_skinny (AKA SCCP protocol) channel driver
is flooded with certain requests it can cause the asterisk
process to use excessive amounts of virtual memory
eventually causing asterisk to stop processing requests
of any kind.
Discovery 2017-11-30 Entry 2017-12-01 Modified 2017-12-13 asterisk13
< 13.18.3
https://downloads.asterisk.org/pub/security/AST-2017-013.html
CVE-2017-17090
|
a8d94711-0d03-11ea-87ca-001999f8d30b | asterisk -- SIP request can change address of a SIP peer
The Asterisk project reports:
A SIP request can be sent to Asterisk that can change
a SIP peers IP address. A REGISTER does not need to occur,
and calls can be hijacked as a result. The only thing
that needs to be known is the peers name; authentication
details such as passwords do not need to be known. This
vulnerability is only exploitable when the nat option is
set to the default, or auto_force_rport.
Discovery 2019-10-17 Entry 2019-11-22 asterisk13
< 13.29.2
asterisk16
< 16.6.2
https://downloads.asterisk.org/pub/security/AST-2019-006.html
CVE-2019-18790
|
be261737-c535-11e7-8da5-001999f8d30b | asterisk -- Memory/File Descriptor/RTP leak in pjsip session resource
The Asterisk project reports:
A memory leak occurs when an Asterisk pjsip session
object is created and that call gets rejected before the
session itself is fully established. When this happens
the session object never gets destroyed. This then leads
to file descriptors and RTP ports being leaked as well.
Discovery 2017-10-15 Entry 2017-11-09 Modified 2017-12-13 asterisk13
ge 13.5.0 lt 13.18.1
https://downloads.asterisk.org/pub/security/AST-2017-011.html
CVE-2017-16672
|
c2ea3b31-9d75-11e7-bb13-001999f8d30b | asterisk -- RTP/RTCP information leak
The Asterisk project reports:
This is a follow up advisory to AST-2017-005.
Insufficient RTCP packet validation could allow reading
stale buffer contents and when combined with the "nat"
and "symmetric_rtp" options allow redirecting where
Asterisk sends the next RTCP report.
The RTP stream qualification to learn the source address
of media always accepted the first RTP packet as the new
source and allowed what AST-2017-005 was mitigating. The
intent was to qualify a series of packets before accepting
the new source address.
The RTP/RTCP stack will now validate RTCP packets before processing them.
Discovery 2017-09-01 Entry 2017-09-19 asterisk11
< 11.25.3
asterisk13
< 13.17.2
https://downloads.asterisk.org/pub/security/AST-2017-008.html
CVE-2017-14099
|
c599f95c-8ee5-11e7-8be8-001999f8d30b | asterisk -- Unauthorized data disclosure and shell access command injection in app_minivm
The Asterisk project reports:
AST-2017-005 - A change was made to the strict RTP
support in the RTP stack to better tolerate late media
when a reinvite occurs. When combined with the symmetric
RTP support this introduced an avenue where media could
be hijacked. Instead of only learning a new address when
expected the new code allowed a new source address to be
learned at all times.
AST-2017-006 - The app_minivm module has an "externnotify"
program configuration option that is executed by the
MinivmNotify dialplan application. The application uses
the caller-id name and number as part of a built string
passed to the OS shell for interpretation and execution.
Since the caller-id name and number can come from an
untrusted source, a crafted caller-id name or number
allows an arbitrary shell command injection.
Discovery 2017-08-31 Entry 2017-09-01 asterisk11
< 11.25.2
asterisk13
< 13.17.1
https://downloads.asterisk.org/pub/security/AST-2017-005.html
CVE-2017-14099
https://downloads.asterisk.org/pub/security/AST-2017-006.html
CVE-2017-14100
|
972fe546-1fb6-11eb-b9d4-001999f8d30b | asterisk -- Remote crash in res_pjsip_session
The Asterisk project reports:
Upon receiving a new SIP Invite, Asterisk did not
return the created dialog locked or referenced. This
caused a gap between the creation of the dialog object,
and its next use by the thread that created it. Depending
upon some off nominal circumstances, and timing it was
possible for another thread to free said dialog in this
gap. Asterisk could then crash when the dialog object,
or any of its dependent objects were de-referenced, or
accessed next by the initial creation thread.
Discovery 2020-11-05 Entry 2020-11-05 asterisk13
< 13.37.1
asterisk16
< 16.14.1
asterisk18
< 18.0.1
https://downloads.asterisk.org/pub/security/AST-2020-001.html
|
0137167b-6dca-11e8-a671-001999f8d30b | asterisk -- PJSIP endpoint presence disclosure when using ACL
The Asterisk project reports:
When endpoint specific ACL rules block a SIP request
they respond with a 403 forbidden. However, if an endpoint
is not identified then a 401 unauthorized response is
sent. This vulnerability just discloses which requests
hit a defined endpoint. The ACL rules cannot be bypassed
to gain access to the disclosed endpoints.
Discovery 2018-06-11 Entry 2018-06-11 asterisk13
< 13.21.1
asterisk15
< 15.4.1
https://downloads.asterisk.org/pub/security/AST-2018-008.html
|
49b61ab6-0d04-11ea-87ca-001999f8d30b | asterisk -- AMI user could execute system commands
The Asterisk project reports:
A remote authenticated Asterisk Manager Interface (AMI)
user without system authorization could use a specially
crafted Originate AMI request to execute arbitrary system
commands.
Discovery 2019-10-10 Entry 2019-11-22 asterisk13
< 13.29.2
asterisk16
< 16.6.2
https://downloads.asterisk.org/pub/security/AST-2019-007.html
CVE-2019-18610
|
ec1df2a1-8ee6-11e7-8be8-001999f8d30b | asterisk -- Remote Crash Vulerability in res_pjsip
The Asterisk project reports:
A carefully crafted URI in a From, To or Contact header could cause Asterisk to crash.
Discovery 2017-08-31 Entry 2017-09-01 asterisk13
< 13.17.1
https://downloads.asterisk.org/pub/security/AST-2017-007.html
CVE-2017-14098
|
94c6951a-0d04-11ea-87ca-001999f8d30b | asterisk -- Re-invite with T.38 and malformed SDP causes crash
The Asterisk project reports:
If Asterisk receives a re-invite initiating T.38 faxing
and has a port of 0 and no c line in the SDP, a crash
will occur.
Discovery 2019-11-07 Entry 2019-11-22 asterisk13
< 13.29.2
https://downloads.asterisk.org/pub/security/AST-2019-008.html
CVE-2019-18976
|
29b7f0be-1fb7-11eb-b9d4-001999f8d30b | asterisk -- Outbound INVITE loop on challenge with different nonce
The Asterisk project reports:
If Asterisk is challenged on an outbound INVITE and
the nonce is changed in each response, Asterisk will
continually send INVITEs in a loop. This causes Asterisk
to consume more and more memory since the transaction
will never terminate (even if the call is hung up),
ultimately leading to a restart or shutdown of Asterisk.
Outbound authentication must be configured on the endpoint
for this to occur.
Discovery 2020-11-05 Entry 2020-11-05 asterisk13
< 13.37.1
asterisk16
< 16.14.1
asterisk18
< 18.0.1
https://downloads.asterisk.org/pub/security/AST-2020-002.html
|
818b2bcb-a46f-11e9-bed9-001999f8d30b | asterisk -- Remote crash vulnerability with MESSAGE messages
The Asterisk project reports:
A specially crafted SIP in-dialog MESSAGE message can cause Asterisk to crash.
Discovery 2019-06-13 Entry 2019-07-12 asterisk13
< 13.27.1
asterisk15
< 15.7.3
asterisk16
< 16.4.1
https://downloads.asterisk.org/pub/security/AST-2019-002.html
CVE-2019-12827
|
fab87bff-3ce5-11e7-bf9d-001999f8d30b | asterisk -- Memory exhaustion on short SCCP packets
The Asterisk project reports:
A remote memory exhaustion can be triggered by sending
an SCCP packet to Asterisk system with "chan_skinny"
enabled that is larger than the length of the SCCP header
but smaller than the packet length specified in the header.
The loop that reads the rest of the packet doesn't detect
that the call to read() returned end-of-file before the
expected number of bytes and continues infinitely. The
"partial data" message logging in that tight loop causes
Asterisk to exhaust all available memory.
Discovery 2017-04-13 Entry 2017-05-19 asterisk13
< 13.15.1
http://downloads.asterisk.org/pub/security/AST-2017-004.html
|
ab04cb0b-c533-11e7-8da5-001999f8d30b | asterisk -- Buffer overflow in CDR's set user
The Asterisk project reports:
No size checking is done when setting the user field
for Party B on a CDR. Thus, it is possible for someone
to use an arbitrarily large string and write past the end
of the user field storage buffer. The earlier AST-2017-001
advisory for the CDR user field overflow was for the Party
A buffer.
Discovery 2017-10-09 Entry 2017-11-09 Modified 2017-12-13 asterisk13
< 13.18.1
https://downloads.asterisk.org/pub/security/AST-2017-010.html
CVE-2017-16671
|
933654ce-17b8-11e8-90b8-001999f8d30b | asterisk -- multiple vulnerabilities
The Asterisk project reports:
AST-2018-004 - When processing a SUBSCRIBE request the
res_pjsip_pubsub module stores the accepted formats present
in the Accept headers of the request. This code did not
limit the number of headers it processed despite having
a fixed limit of 32. If more than 32 Accept headers were
present the code would write outside of its memory and
cause a crash.
AST-2018-005 - A crash occurs when a number of
authenticated INVITE messages are sent over TCP or TLS
and then the connection is suddenly closed. This issue
leads to a segmentation fault.
Discovery 2018-02-21 Entry 2018-02-22 Modified 2018-06-12 asterisk13
< 13.19.2
https://downloads.asterisk.org/pub/security/AST-2018-004.html
CVE-2018-7284
https://downloads.asterisk.org/pub/security/AST-2018-005.html
CVE-2018-7286
|
fb3455be-ebf6-11eb-aef1-0897988a1c07 | asterisk -- Remote crash when using IAX2 channel driver
The Asterisk project reports:
If the IAX2 channel driver receives a packet that
contains an unsupported media format it can cause a crash
to occur in Asterisk.
Discovery 2021-04-13 Entry 2021-07-23 asterisk13
< 13.38.3
asterisk16
< 16.19.1
asterisk18
< 18.5.1
CVE-2021-32558
https://downloads.asterisk.org/pub/security/AST-2021-008.html
|
4a67450a-e044-11e7-accc-001999f8d30b | asterisk -- Remote Crash Vulnerability in RTCP Stack
The Asterisk project reports:
If a compound RTCP packet is received containing more
than one report (for example a Receiver Report and a
Sender Report) the RTCP stack will incorrectly store
report information outside of allocated memory potentially
causing a crash.
Discovery 2017-12-12 Entry 2017-12-13 asterisk13
< 13.18.4
https://downloads.asterisk.org/pub/security/AST-2017-012.html
|
2a3bc6ac-e7c6-11e7-a90b-001999f8d30b | asterisk -- Crash in PJSIP resource when missing a contact header
The Asterisk project reports:
A select set of SIP messages create a dialog in Asterisk.
Those SIP messages must contain a contact header. For
those messages, if the header was not present and using
the PJSIP channel driver, it would cause Asterisk to
crash. The severity of this vulnerability is somewhat
mitigated if authentication is enabled. If authentication
is enabled a user would have to first be authorized before
reaching the crash point.
Discovery 2017-12-12 Entry 2017-12-23 asterisk13
< 13.18.5
https://downloads.asterisk.org/pub/security/AST-2017-014.html
CVE-2017-17850
|
77f67b46-bd75-11e8-81b6-001999f8d30b | asterisk -- Remote crash vulnerability in HTTP websocket upgrade
The Asterisk project reports:
There is a stack overflow vulnerability in the
res_http_websocket.so module of Asterisk that allows an
attacker to crash Asterisk via a specially crafted HTTP
request to upgrade the connection to a websocket. The
attackers request causes Asterisk to run out of stack
space and crash.
As a workaround disable HTTP websocket access by not
loading the res_http_websocket.so module.
Discovery 2018-08-16 Entry 2018-09-21 asterisk13
< 13.23.1
asterisk15
< 15.6.1
https://downloads.asterisk.org/pub/security/AST-2018-009.html
CVE-2018-17281
|
6adf6ce0-44a6-11eb-95b7-001999f8d30b | asterisk -- Remote crash in res_pjsip_diversion
The Asterisk project reports:
AST-2020-003: A crash can occur in Asterisk when a SIP
message is received that has a History-Info header, which
contains a tel-uri.
AST-2020-004: A crash can occur in Asterisk when a SIP
181 response is received that has a Diversion header,
which contains a tel-uri.
Discovery 2020-12-02 Entry 2020-12-22 asterisk13
< 13.38.1
asterisk16
< 16.15.1
asterisk18
< 18.1.1
https://downloads.asterisk.org/pub/security/AST-2020-003.html
https://downloads.asterisk.org/pub/security/AST-2020-004.html
|
1bb2826b-7229-11eb-8386-001999f8d30b | asterisk -- Remote Crash Vulnerability in PJSIP channel driver
The Asterisk project reports:
Given a scenario where an outgoing call is placed from
Asterisk to a remote SIP server it is possible for a crash
to occur.
Discovery 2021-02-08 Entry 2021-02-18 asterisk13
< 13.38.2
asterisk16
< 16.16.1
asterisk18
< 18.2.1
CVE-2021-26906
https://downloads.asterisk.org/pub/security/AST-2021-005.html
|
e9d2e981-a46d-11e9-bed9-001999f8d30b | asterisk -- Remote Crash Vulnerability in chan_sip channel driver
The Asterisk project reports:
When T.38 faxing is done in Asterisk a T.38 reinvite
may be sent to an endpoint to switch it to T.38. If the
endpoint responds with an improperly formatted SDP answer
including both a T.38 UDPTL stream and an audio or video
stream containing only codecs not allowed on the SIP peer
or user a crash will occur. The code incorrectly assumes
that there will be at least one common codec when T.38
is also in the SDP answer.
Discovery 2019-06-28 Entry 2019-07-12 asterisk13
< 13.27.1
asterisk15
< 15.7.3
asterisk16
< 16.4.1
https://downloads.asterisk.org/pub/security/AST-2019-003.html
CVE-2019-13161
|
53fbffe6-ebf7-11eb-aef1-0897988a1c07 | asterisk -- pjproject/pjsip: crash when SSL socket destroyed during handshake
The Asterisk project reports:
Depending on the timing, it's possible for Asterisk to
crash when using a TLS connection if the underlying socket
parent/listener gets destroyed during the handshake.
Discovery 2021-05-05 Entry 2021-07-23 asterisk13
< 13.38.3
asterisk16
< 16.19.1
asterisk18
< 18.5.1
CVE-2021-32686
https://downloads.asterisk.org/pub/security/AST-2021-009.html
|
f9f5c5a2-17b5-11e8-90b8-001999f8d30b | asterisk and pjsip -- multiple vulnerabilities
The Asterisk project reports:
AST-2018-002 - By crafting an SDP message with an
invalid media format description Asterisk crashes when
using the pjsip channel driver because pjproject's sdp
parsing algorithm fails to catch the invalid media format
description.
AST-2018-003 - By crafting an SDP message body with
an invalid fmtp attribute Asterisk crashes when using the
pjsip channel driver because pjproject's fmtp retrieval
function fails to check if fmtp value is empty (set empty
if previously parsed as invalid).
Discovery 2018-02-21 Entry 2018-02-22 asterisk13
< 13.19.2
pjsip
< 2.7.2
pjsip-extsrtp
< 2.7.2
https://downloads.asterisk.org/pub/security/AST-2018-002.html
https://downloads.asterisk.org/pub/security/AST-2018-003.html
|
19b052c9-c533-11e7-8da5-001999f8d30b | asterisk -- Buffer overflow in pjproject header parsing can cause crash in Asterisk
The Asterisk project reports:
By carefully crafting invalid values in the Cseq and
the Via header port, pjprojects packet parsing code can
create strings larger than the buffer allocated to hold
them. This will usually cause Asterisk to crash immediately.
The packets do not have to be authenticated.
Discovery 2017-10-05 Entry 2017-11-09 Modified 2017-11-15 asterisk13
< 13.18.1
pjsip
< 2.7.1
pjsip-extsrtp
< 2.7.1
https://downloads.asterisk.org/pub/security/AST-2017-009.html
|
7d53d8da-d07a-11e9-8f1a-001999f8d30b | asterisk -- Remote Crash Vulnerability in audio transcoding
The Asterisk project reports:
When audio frames are given to the audio transcoding
support in Asterisk the number of samples are examined
and as part of this a message is output to indicate that
no samples are present. A change was done to suppress
this message for a particular scenario in which the message
was not relevant. This change assumed that information
about the origin of a frame will always exist when in
reality it may not.
This issue presented itself when an RTP packet containing
no audio (and thus no samples) was received. In a particular
transcoding scenario this audio frame would get turned
into a frame with no origin information. If this new frame
was then given to the audio transcoding support a crash
would occur as no samples and no origin information would
be present. The transcoding scenario requires the genericplc
option to be set to enabled (the default) and a transcoding
path from the source format into signed linear and then
from signed linear into another format.
Note that there may be other scenarios that have not
been found which can cause an audio frame with no origin
to be given to the audio transcoding support and thus
cause a crash.
Discovery 2019-08-07 Entry 2019-09-06 asterisk13
< 13.28.1
asterisk16
< 16.5.1
https://downloads.asterisk.org/pub/security/AST-2019-005.html
CVE-2019-15639
|