Asterisk
Project Security Advisory -
|
Product |
Asterisk |
|
Summary |
Denial of Service in PJSIP Channel Driver Subscriptions |
|
Nature of Advisory |
Denial of Service |
|
Susceptibility |
Remote authenticated sessions |
|
Severity |
Moderate |
|
Exploits Known |
No |
|
Reported On |
28 May, 2014 |
|
Reported By |
Mark Michelson |
|
Posted On |
June 12, 2014 |
|
Last Updated On |
|
|
Advisory Contact |
Mark Michelson <mmichelson AT digium DOT com> |
|
CVE Name |
CVE-2014-4048 |
|
Description |
When a SIP transaction timeout caused a subscription to be terminated, the action taken by Asterisk was guaranteed to deadlock the thread on which SIP requests are serviced.
Note that this behavior could only happen on established subscriptions, meaning that this could only be exploited if an attacker bypassed authentication and successfully subscribed to a real resource on the Asterisk server. |
|
Resolution |
The socket-servicing thread is now no longer capable of dispatching synchronous tasks to other threads since that may result in deadlocks. |
|
Affected Versions |
||
|
Product |
Release Series |
|
|
Asterisk Open Source |
12.x |
All versions |
|
Corrected In |
|
|
Product |
Release |
|
Asterisk Open Source |
12.3.1 |
|
Patches |
|
|
SVN URL |
Revision |
|
http://downloads.asterisk.org/pub/security/AST-2014-008-12.diff |
Asterisk 12 |
|
Links |
|
Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later
versions; if so, the latest version will be posted at
http://downloads.digium.com/pub/security/ |
|
Revision History |
||
|
Date |
Editor |
Revisions Made |
|
June 6, 2014 |
Mark Michelson |
Document Creation |
|
June 12, 2014 |
Matt Jordan |
Added CVE |
Asterisk
Project Security Advisory -
Copyright
©
Permission is hereby granted
to distribute and publish this advisory in its original, unaltered
form.