Product

Asterisk

Summary

res_stir_shaken: resource exhaustion with large files

Nature of Advisory

Resource exhaustion

Susceptibility

Remote unauthenticated access

Severity

Major

Exploits Known

No

Reported On

Jan 21, 2022

Reported By

Ben Ford

Posted On

Apr 14, 2022

Last Updated On

April 13, 2022

Advisory Contact

bford AT sangoma DOT com

CVE Name

CVE-2022-26498

Description

When using STIR/SHAKEN, it’s possible to download files that are not certificates. These files could be much larger than what you would expect to download.

Modules Affected

res_stir_shaken

Resolution

If you are using STIR/SHAKEN in Asterisk, upgrade to one of the versions listed below. Asterisk now checks the downloaded file to see if it’s actually a certificate or if it is larger than what is expected.

If not upgrading, the curl_timeout option in stir_shaken.conf should be utilized so that downloads do not last an extended period of time.

Affected Versions

Product

Release Series

Asterisk Open Source

16.x

16.15.0 and after

Asterisk Open Source

18.x

All versions

Asterisk Open Source

19.x

All versions

Corrected In

Product

Release

Asterisk Open Source

16.25.2, 18.11.2, 19.3.2

Patches

Patch URL

Revision

https://downloads.digium.com/pub/security/AST-2022-001-16.diff

Asterisk 16

https://downloads.digium.com/pub/security/AST-2022-001-18.diff

Asterisk 18

https://downloads.digium.com/pub/security/AST-2022-001-19.diff

Asterisk 19

Links

https://issues.asterisk.org/jira/browse/ASTERISK-29872

https://downloads.asterisk.org/pub/security/AST-2022-001.html

Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2022-001.pdf and https://downloads.digium.com/pub/security/AST-2022-001.html

Revision History

Date

Editor

Revisions Made

Apr 13, 2022

Ben Ford

Initial revision