AST-2014-009: Remote crash based on malformed SIP subscription requests

Il giorno 20 settembre 2014, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 13.0.0-beta2.

Dal post originale:

Asterisk Project Security Advisory - AST-2014-009

Product Asterisk
Summary Remote crash based on malformed SIP subscription
Nature of Advisory Remotely triggered crash of Asterisk
Susceptibility Remote authenticated sessions
Severity Major
Exploits Known No
Reported On 30 July, 2014
Reported By Mark Michelson
Posted On 18 September, 2014
Last Updated On September 18, 2014
Advisory Contact Mark Michelson
CVE Name Pending

Description It is possible to trigger a crash in Asterisk by sending a
SIP SUBSCRIBE request with unexpected mixes of headers for
a given event package. The crash occurs because Asterisk
allocates data of one type at one layer and then interprets
the data as a separate type at a different layer. The crash
requires that the SUBSCRIBE be sent from a configured
endpoint, and the SUBSCRIBE must pass any authentication
that has been configured.

Note that this crash is Asterisk's PJSIP-based
res_pjsip_pubsub module and not in the old chan_sip module.

Resolution Type-safety has been built into the pubsub API where it
previously was absent. A test has been added to the
testsuite that previously would have triggered the crash.

Affected Versions
Product Release
Asterisk Open Source 1.8.x Unaffected
Asterisk Open Source 11.x Unaffected
Asterisk Open Source 12.x 12.1.0 and up
Certified Asterisk 1.8.15 Unaffected
Certified Asterisk 11.6 Unaffected

Corrected In
Product Release
Asterisk Open Source 12.5.1

SVN URL Revision Asterisk


Asterisk Project Security Advisories are posted at

This document may be superseded by later versions; if so, the latest
version will be posted at and

Revision History
Date Editor Revisions Made
19 August, 2014 Mark Michelson Initial version of document

Commenti (0) Trackback (0)

Spiacenti, il modulo dei commenti è chiuso per ora.

Ancora nessun trackback.