Asterisk Project Security Advisory - AST-2015-001

Product

Asterisk

Summary

File descriptor leak when incompatible codecs are offered

Nature of Advisory

Resource exhaustion

Susceptibility

Remote Authenticated Sessions

Severity

Major

Exploits Known

No

Reported On

6 January, 2015

Reported By

Y Ateya

Posted On

9 January, 2015

Last Updated On

February 11, 2015

Advisory Contact

Mark Michelson <mmichelson AT digium DOT com>

CVE Name

CVE-2015-1558



Description

Asterisk may be configured to only allow specific audio or video codecs to be used when communicating with a particular endpoint. When an endpoint sends an SDP offer that only lists codecs not allowed by Asterisk, the offer is rejected. However, in this case, RTP ports that are allocated in the process are not reclaimed.


This issue only affects the PJSIP channel driver in Asterisk. Users of the chan_sip channel driver are not affected.


As the resources are allocated after authentication, this issue only affects communications with authenticated endpoints.


Resolution

The reported leak has been patched.


Affected Versions

Product

Release Series


Asterisk Open Source

1.8.x

Unaffected

Asterisk Open Source

11.x

Unaffected

Asterisk Open Source

12.x

All versions

Asterisk Open Source

13.x

All versions

Certified Asterisk

1.8.28

Unaffected

Certified Asterisk

11.6

Unaffected


Corrected In

Product

Release

Asterisk Open Source

12.8.1, 13.1.1


Patches

SVN URL

Revision

http://downloads.asterisk.org/pub/security/AST-2015-001-12.diff

Asterisk 12

http://downloads.asterisk.org/pub/security/AST-2015-001-13.diff

Asterisk 13



Links

https://issues.asterisk.org/jira/browse/ASTERISK-24666


Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2015-001.pdf and http://downloads.digium.com/pub/security/AST-2015-001.html


Revision History

Date

Editor

Revisions Made

9 January, 2015

Mark Michelson

Initial creation

11 February, 2015

Matt Jordan

Added CVE


Asterisk Project Security Advisory - AST-2015-001
Copyright © 2015 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.