ASTERWEB Blog

9Set/16Off

AST-2016-007: RTP Resource Exhaustion

Il giorno 08 settembre 2016, l'Asterisk Security Team ha rilasciato il seguente post.

Dal post originale:

               Asterisk Project Security Advisory - AST-2016-007


         Product        Asterisk

         Summary        RTP Resource Exhaustion

    Nature of Advisory  Denial of Service

      Susceptibility    Remote Authenticated Sessions

         Severity       Moderate

      Exploits Known    No

       Reported On      August 5, 2016

       Reported By      Etienne Lessard

        Posted On

     Last Updated On    September 8, 2016

     Advisory Contact   Joshua Colp <jcolp AT digium DOT com>

         CVE Name       


    Description  The overlap dialing feature in chan_sip allows chan_sip to

                 report to a device that the number that has been dialed is

                 incomplete and more digits are required. If this

                 functionality is used with a device that has performed

                 username/password authentication RTP resources are leaked.

                 This occurs because the code fails to release the old RTP

                 resources before allocating new ones in this scenario. If

                 all resources are used then RTP port exhaustion will occur

                 and no RTP sessions are able to be set up.                   


    Resolution  If overlap dialing support is not needed the “allowoverlapâ€

                option can be set to no. This will stop any usage of the

                scenario which causes the resource exhaustion.                


                If overlap dialing support is needed a change has been made

                so that existing RTP resources are destroyed in this

                scenario before allocating new resources.                     


                               Affected Versions

                         Product                       Release

                                                       Series

                  Asterisk Open Source                  11.x    All Versions

                  Asterisk Open Source                  13.x    All Versions

                   Certified Asterisk                   11.6    All Versions

                   Certified Asterisk                   13.8    All Versions  


                                  Corrected In

          Product                              Release

    Asterisk Open Source                   11.23.1, 13.11.1

     Certified Asterisk                11.6-cert15, 13.8-cert3                


                                    Patches

                 SVN URL                              Revision                


    Links  https://issues.asterisk.org/jira/browse/ASTERISK-26272             


    Asterisk Project Security Advisories are posted at

    http://www.asterisk.org/security                                          


    This document may be superseded by later versions; if so, the latest

    version will be posted at

    http://downloads.digium.com/pub/security/AST-2016-007.pdf and

    http://downloads.digium.com/pub/security/AST-2016-007.html                


                                Revision History

         Date          Editor                   Revisions Made

    August 23, 2016  Joshua Colp  Initial creation                            


               Asterisk Project Security Advisory - AST-2016-007

               Copyright © 2016 Digium, Inc. All Rights Reserved.

  Permission is hereby granted to distribute and publish this advisory in its

                           original, unaltered form.

Inserito in: Asterisk - Sicurezza Disabilita commenti
Commenti (0) Trackback (0)

Spiacenti, il modulo dei commenti è chiuso per ora.

Ancora nessun trackback.

» «

Pagine

Categorie

Blogroll

Archivio

Meta