Asterisk Project Security Advisory - AST-2016-006

Product

Asterisk

Summary

Crash on ACK from unknown endpoint

Nature of Advisory

Remote Crash

Susceptibility

Remote unauthenticated sessions

Severity

Critical

Exploits Known

No

Reported On

August 3, 2016

Reported By

Nappsoft

Posted On


Last Updated On

August 31, 2016

Advisory Contact

mark DOT michelson AT digium DOT com

CVE Name




Description

Asterisk can be crashed remotely by sending an ACK to it from an endpoint username that Asterisk does not recognize. Most SIP request types result in an “artificial” endpoint being looked up, but ACKs bypass this lookup. The resulting NULL pointer results in a crash when attempting to determine if ACLs should be applied.


This issue was introduced in the Asterisk 13.10 release and only affects that release.


This issue only affects users using the PJSIP stack with Asterisk. Those users that use chan_sip are unaffected.


Resolution

ACKs now result in an artificial endpoint being looked up just like other SIP request types.


Affected Versions

Product

Release Series


Asterisk Open Source

11.x

Unaffected

Asterisk Open Source

13.x

13.10.0

Certified Asterisk

11.6

Unaffected

Certified Asterisk

13.8

Unaffected


Corrected In

Product

Release

Asterisk Open Source

13.11.1


Patches

SVN URL

Revision







Links



Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2016-006.pdf and http://downloads.digium.com/pub/security/AST-2016-006.html


Revision History

Date

Editor

Revisions Made

August 16, 2016

Mark Michelson

Initial draft of Advisory


Asterisk Project Security Advisory - AST-2016-006
Copyright © 2016 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.