Product

Asterisk

Summary

Possible resource leak on uncompleted re-invite transactions

Nature of Advisory

Denial of Service

Susceptibility

Remote authenticated sessions

Severity

Minor

Exploits Known

No

Reported On

June 13, 2012

Reported By

Steve Davies

Posted On

July 5, 2012

Last Updated On

July 6, 2012

Advisory Contact

Terry Wilson <twilson@digium.com>

CVE Name

CVE-2012-3863

Description

If Asterisk sends a re-invite and an endpoint responds to the re-invite with a provisional response but never sends a final response, then the SIP dialog structure is never freed and the RTP ports for the call are never released. If an attacker has the ability to place a call, they could create a denial of service by using all available RTP ports.

Resolution

A re-invite that receives a provisional response without a final response is detected and properly cleaned up at hangup.

Affected Versions

Product

Release Series

Asterisk Open Source

1.8.x

All versions

Asterisk Open Source

10.x

All versions

Asterisk Business Edition

C.3.x

All versions

Certified Asterisk

1.8.11-certx

All versions

Asterisk Digiumphones

10.x.x-digiumphones

All versions

Corrected In

Product

Release

Asterisk Open Source

1.8.13.1, 10.5.2

Asterisk Business Edition

C.3.7.5

Certified Asterisk

1.8.11-cert4

Asterisk Digiumphones

10.5.2-digiumphones

Patches

URL

Revision

http://downloads.asterisk.org/pub/security/AST-2012-010-1.8.diff

Asterisk 1.8

http://downloads.asterisk.org/pub/security/AST-2012-010-10.diff

Asterisk 10

Links

https://issues.asterisk.org/jira/browse/ASTERISK-19992

Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-010.pdf and http://downloads.digium.com/pub/security/AST-2012-010.html

Revision History

Date

Editor

Revisions Made

06/27/2012

Terry Wilson

Initial Release

07/06/2012

Matt Jordan

Added CVE