Asterisk Project Security Advisory - AST-2012-010

Product

Asterisk

Summary

Possible resource leak on uncompleted re-invite transactions

Nature of Advisory

Denial of Service

Susceptibility

Remote authenticated sessions

Severity

Minor

Exploits Known

No

Reported On

June 13, 2012

Reported By

Steve Davies

Posted On

July 5, 2012

Last Updated On

July 6, 2012

Advisory Contact

Terry Wilson <twilson@digium.com>

CVE Name

CVE-2012-3863



Description

If Asterisk sends a re-invite and an endpoint responds to the re-invite with a provisional response but never sends a final response, then the SIP dialog structure is never freed and the RTP ports for the call are never released. If an attacker has the ability to place a call, they could create a denial of service by using all available RTP ports.


Resolution

A re-invite that receives a provisional response without a final response is detected and properly cleaned up at hangup.


Affected Versions

Product

Release Series


Asterisk Open Source

1.8.x

All versions

Asterisk Open Source

10.x

All versions

Asterisk Business Edition

C.3.x

All versions

Certified Asterisk

1.8.11-certx

All versions

Asterisk Digiumphones

10.x.x-digiumphones

All versions


Corrected In

Product

Release

Asterisk Open Source

1.8.13.1, 10.5.2

Asterisk Business Edition

C.3.7.5

Certified Asterisk

1.8.11-cert4

Asterisk Digiumphones

10.5.2-digiumphones


Patches

URL

Revision

http://downloads.asterisk.org/pub/security/AST-2012-010-1.8.diff

Asterisk 1.8

http://downloads.asterisk.org/pub/security/AST-2012-010-10.diff

Asterisk 10



Links

https://issues.asterisk.org/jira/browse/ASTERISK-19992


Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-010.pdf and http://downloads.digium.com/pub/security/AST-2012-010.html


Revision History

Date

Editor

Revisions Made

06/27/2012

Terry Wilson

Initial Release

07/06/2012

Matt Jordan

Added CVE


Asterisk Project Security Advisory - AST-2012-010
Copyright © 2012 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.