Asterisk Project Security Advisory - AST-2016-002

Product

Asterisk

Summary

File descriptor exhaustion in chan_sip

Nature of Advisory

Denial of Service

Susceptibility

Remote Unauthenticated Sessions

Severity

Minor

Exploits Known

Yes

Reported On

September 17, 2015

Reported By

Alexander Traud

Posted On

February 3, 2016

Last Updated On

February 15, 2016

Advisory Contact

Richard Mudgett <rmudgett AT digium DOT com>

CVE Name

CVE-2016-2316



Description

Setting the sip.conf timert1 value to a value higher than 1245 can cause an integer overflow and result in large retransmit timeout times. These large timeout values hold system file descriptors hostage and can cause the system to run out of file descriptors.


Resolution

Setting the sip.conf timert1 value to 1245 or lower will not exhibit the vulnerability. The default timert1 value is 500. Asterisk has been patched to detect the integer overflow and calculate the previous retransmission timer value.


Affected Versions

Product

Release Series


Asterisk Open Source

1.8.x

All versions

Asterisk Open Source

11.x

All versions

Asterisk Open Source

12.x

All versions

Asterisk Open Source

13.x

All versions

Certified Asterisk

1.8.28

All versions

Certified Asterisk

11.6

All versions

Certified Asterisk

13.1

All versions


Corrected In

Product

Release

Asterisk Open Source

11.21.1, 13.7.1

Certified Asterisk

11.6-cert12, 13.1-cert3


Patches

SVN URL

Revision

http://downloads.asterisk.org/pub/security/AST-2016-002-1.8.28.diff

Certified Asterisk 1.8.28

http://downloads.asterisk.org/pub/security/AST-2016-002-11.6.diff

Certified Asterisk 11.6

http://downloads.asterisk.org/pub/security/AST-2016-002-13.1.diff

Certified Asterisk 13.1

http://downloads.asterisk.org/pub/security/AST-2016-002-1.8.diff

Asterisk 1.8

http://downloads.asterisk.org/pub/security/AST-2016-002-11.diff

Asterisk 11

http://downloads.asterisk.org/pub/security/AST-2016-002-12.diff

Asterisk 12

http://downloads.asterisk.org/pub/security/AST-2016-002-13.diff

Asterisk 13



Links

https://issues.asterisk.org/jira/browse/ASTERISK-25397


Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2016-002.pdf and http://downloads.digium.com/pub/security/AST-2016-002.html


Revision History

Date

Editor

Revisions Made

September 29, 2015

Richard Mudgett

Initial document created

February 15, 2016

Kevin Harwell

CVE assignment


Asterisk Project Security Advisory - AST-2016-002
Copyright © 2015 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.