ASTERWEB Blog

28Mag/17Off

AST-2017-004: Memory exhaustion on short SCCP packets

               Asterisk Project Security Advisory - AST-2017-004

Product Asterisk
Summary Memory exhaustion on short SCCP packets
Nature of Advisory Denial of Service
Susceptibility Remote Unauthenticated Sessions
Severity Critical
Exploits Known No
Reported On April 13, 2017
Reported By Sandro Gauci
Posted On
Last Updated On April 13, 2017
Advisory Contact George Joseph <gjoseph AT digium DOT com>
CVE Name

Description A remote memory exhaustion can be triggered by sending an
SCCP packet to Asterisk system with “chan_skinny†enabled
that is larger than the length of the SCCP header but
smaller than the packet length specified in the header. The
loop that reads the rest of the packet doesn’t detect that
the call to read() returned end-of-file before the expected
number of bytes and continues infinitely. The “partial
data†message logging in that tight loop causes Asterisk to
exhaust all available memory.

Resolution If support for the SCCP protocol is not required, remove or
disable the module.

If support for SCCP is required, an upgrade to Asterisk will
be necessary.

Affected Versions
Product Release Series
Asterisk Open Source 11.x Unaffected
Asterisk Open Source 13.x All versions
Asterisk Open Source 14.x All versions
Certified Asterisk 13.13 All versions

Corrected In
Product Release
Asterisk Open Source 13.15.1, 14.4.1
Certified Asterisk 13.13-cert4

Patches
SVN URL Revision

Links

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at http://downloads.digium.com/pub/security/.pdf
and http://downloads.digium.com/pub/security/.html

Revision History
Date Editor Revisions Made
13 April 2017 George Joseph Initial report created

Asterisk Project Security Advisory -
Copyright © 2017 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

28Mag/17Off

AST-2017-003: Crash in PJSIP multi-part body parser

               Asterisk Project Security Advisory - AST-2017-003

Product Asterisk
Summary Crash in PJSIP multi-part body parser
Nature of Advisory Remote Crash
Susceptibility Remote Unauthenticated Sessions
Severity Critical
Exploits Known No
Reported On 13 April, 2017
Reported By Sandro Gauci
Posted On
Last Updated On April 13, 2017
Advisory Contact Mark Michelson <mark DOT michelson AT digium DOT
com>
CVE Name

Description The multi-part body parser in PJSIP contains a logical
error that can make certain multi-part body parts attempt
to read memory from outside the allowed boundaries. A
specially-crafted packet can trigger these invalid reads
and potentially induce a crash.

The issue is within the PJSIP project and not in Asterisk.
Therefore, the problem can be fixed without upgrading
Asterisk. However, we will be releasing a new version of
Asterisk where the bundled version of PJSIP has been
updated to have the bug patched.

If you are using Asterisk with chan_sip, this issue does
not affect you.

Resolution We have submitted the error report to the PJProject
maintainers and have coordinated a release...........

Affected Versions
Product Release
Series
Asterisk Open Source 11.x Unaffected
Asterisk Open Source 13.x All versions
Asterisk Open Source 14.x All versions
Certified Asterisk 13.13 All versions

Corrected In
Product Release
Asterisk Open Source 13.15.1, 14.4.1
Certified Asterisk 13.13-cert4

Patches
SVN URL Revision

Links https://issues.asterisk.org/jira/browse/ASTERISK-26939

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2017-003.pdf and
http://downloads.digium.com/pub/security/AST-2017-003.html

Revision History
Date Editor Revisions Made
13 April, 2017 Mark Michelson Initial advisory created

Asterisk Project Security Advisory - AST-2017-003
Copyright (c) 2017 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

28Mag/17Off

AST-2017-002: Buffer Overrun in PJSIP transaction layer

               Asterisk Project Security Advisory - AST-2017-002

Product Asterisk
Summary Buffer Overrun in PJSIP transaction layer
Nature of Advisory Buffer Overrun/Crash
Susceptibility Remote Unauthenticated Sessions
Severity Critical
Exploits Known No
Reported On 12 April, 2017
Reported By Sandro Gauci
Posted On
Last Updated On April 13, 2017
Advisory Contact Mark Michelson <mark DOT michelson AT digium DOT
com>
CVE Name

Description A remote crash can be triggered by sending a SIP packet to
Asterisk with a specially crafted CSeq header and a Via
header with no branch parameter. The issue is that the
PJSIP RFC 2543 transaction key generation algorithm does
not allocate a large enough buffer. By overrunning the
buffer, the memory allocation table becomes corrupted,
leading to an eventual crash.

This issue is in PJSIP, and so the issue can be fixed
without performing an upgrade of Asterisk at all. However,
we are releasing a new version of Asterisk with the bundled
PJProject updated to include the fix.

If you are running Asterisk with chan_sip, this issue does
not affect you.

Resolution A patch created by the Asterisk team has been submitted and
accepted by the PJProject maintainers.

Affected Versions
Product Release
Series
Asterisk Open Source 11.x Unaffected
Asterisk Open Source 13.x All versions
Asterisk Open Source 14.x All versions
Certified Asterisk 13.13 All versions

Corrected In
Product Release
Asterisk Open Source 13.15.1, 14.4.1
Certified Asterisk 13.13-cert4

Patches
SVN URL Revision

Links https://issues.asterisk.org/jira/browse/ASTERISK-26938

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2017-002.pdf and
http://downloads.digium.com/pub/security/AST-2017-002.html

Revision History
Date Editor Revisions Made
12 April, 2017 Mark Michelson Initial report created

Asterisk Project Security Advisory - AST-2017-002
Copyright (c) 2017 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

25Mag/17Off

Rilasciato Asterisk 13.16.0-rc2

Il giorno 24 maggio 2017, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 13.16.0-rc2.

Dal post originale:

The following issues are resolved in this release candidate:

Bugs fixed in this release:
-----------------------------------
[ASTERISK-26982] -
chan_sip: rtcp_mux setting may cause ice completion failure/delay if client offers rtcp-mux as negotiable
(Reported by Stefan Engström)
[ASTERISK-26979] -
res_rtp_asterisk: SRTP unprotect failed with authentication failure 10 or 110
(Reported by Javier Riveros )

For a full list of changes in this release candidate, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-13.16.0-rc2

25Mag/17Off

Rilasciato Asterisk 14.5.0-rc2

Il giorno 24 maggio 2017, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 14.5.0-rc2.

Dal post originale:

The following issues are resolved in this release candidate:

Bugs fixed in this release:
-----------------------------------
[ASTERISK-26982] -
chan_sip: rtcp_mux setting may cause ice completion failure/delay if client offers rtcp-mux as negotiable
(Reported by Stefan Engström)
[ASTERISK-26979] -
res_rtp_asterisk: SRTP unprotect failed with authentication failure 10 or 110
(Reported by Javier Riveros )

For a full list of changes in this release candidate, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-14.5.0-rc2

23Mag/17Off

Rilasciato Asterisk 13.16.0-rc1

Il giorno 22 maggio 2017, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 13.16.0-rc1.

Dal post originale:

The following issues are resolved in this release candidate:

Bugs fixed in this release:
-----------------------------------
[ASTERISK-25665] -
Duplicate logging in queue log for EXITEMPTY events
(Reported by Ove Aursand)
[ASTERISK-26998] -
res_pjsip_session: INVITE retransmissions could still setup the same call again.
(Reported by Richard Mudgett)
[ASTERISK-26143] -
res_rtp_asterisk: One way audio when transcoding
(Reported by Henning Holtschneider)
[ASTERISK-26606] -
tcptls: Incorrect OpenSSL function call leads to misleading error report
(Reported by Bob Ham)
[ASTERISK-26983] -
Crash in Manager Reload when TLS Config Changes
(Reported by Joshua Elson)
[ASTERISK-25032] -
[patch]cel_odbc sometimes inserts CEL with wrong eventtime
(Reported by Etienne Lessard)
[ASTERISK-26173] -
func_cdr: CDR function does not permit empty values to be assigned
(Reported by gkloepfer)
[ASTERISK-25506] -
[patch]CONFBRIDGE failure after an app_confbrige.so module reload results in segfault or error/warning messages.
(Reported by Frederic LE FOLL)
[ASTERISK-24529] -
Using AMI Action Bridge to on an already bridged channel causes the incorrect return priority to be used
(Reported by Corey Farrell)
[ASTERISK-26860] -
Upon RTCP reception, netsock2.c:210 ast_sockaddr_split_hostport: Port missing in (null)
(Reported by Evers Lab)
[ASTERISK-26922] -
chan_sip: tcpbind uses wrong source address
(Reported by Ksenia)
[ASTERISK-26974] -
res_pjsip: Deadlock in T.38 framehook
(Reported by Richard Mudgett)
[ASTERISK-26908] -
res_pjsip: The ChanIsAvail causes a res_pjsip session to be leaked.
(Reported by Richard Mudgett)
[ASTERISK-25823] -
SIGSEGV, Segmentation fault. - ../sysdeps/x86_64/strlen.S: No such file or directory.
(Reported by Andreas Krüger)
[ASTERISK-26951] -
chan_sip: ACK with SDP does not update a direct media bridge
(Reported by Jean Aunis - Prescom)
[ASTERISK-26930] -
pjproject/Makefile.rules for pjsip 2.6 build fails for non-SSE2 instrunction Linux
(Reported by abelbeck)
[ASTERISK-26926] -
func_speex: Crash caused by frame with no datalen
(Reported by Richard Kenner)
[ASTERISK-26929] -
pjsip: Add database tables for RLS
(Reported by Joshua Colp)
[ASTERISK-26953] -
Asterisk crash if hep.conf have some missing parameters
(Reported by Joel Vandal)
[ASTERISK-26890] -
STUN server with non-default-route transport causes INVITE delay
(Reported by George Joseph)
[ASTERISK-26692] -
res_rtp_asterisk: Crash in dtls_srtp_handle_timeout at res_rtp_asterisk (using chan_sip)
(Reported by scgm11)
[ASTERISK-26835] -
res_rtp_asterisk: Crash when freeing RTCP address string
(Reported by Niklas Larsson)
[ASTERISK-26853] -
res_rtp_asterisk: Crash in pjnath when receiving packet
(Reported by Adagio)
[ASTERISK-26613] -
format_wav: wav16 format read file only by 320 - half of frame
(Reported by Vitaly K)
[ASTERISK-26169] -
format_ogg_vorbis: Memory leak using OGG in MixMonitor
(Reported by Ivan Myalkin)
[ASTERISK-21856] -
STUN never works when asterisk started without internet access
(Reported by Jeremy Kister)
[ASTERISK-20984] -
Audible clicks when playing sox encoded au file with STREAM FILE AGI command
(Reported by Roman S.)
[ASTERISK-26851] -
res_pjsip_sdp_rtp: RTP instance does not use same IP as explicit transport
(Reported by Richard Begg)
[ASTERISK-26903] -
Listening TCP/TLS sockets stop when temporarily out of open files
(Reported by Walter Doekes)
[ASTERISK-26528] -
[UBSAN] strings.h:signed integer overflow in ast_str_case_hash
(Reported by Badalian Vyacheslav)
[ASTERISK-26928] -
pjsip: Add database tables for PUBLISH support
(Reported by Joshua Colp)
[ASTERISK-26927] -
pjproject_bundled: Crash on pj_ssl_get_info() while ioqueue_on_read_complete().
(Reported by Alexander Traud)
[ASTERISK-26905] -
pjproject_bundled: Merge 3 upstream deadlock patches into bundled
(Reported by Ross Beer)
[ASTERISK-26897] -
chan_sip: Security vulnerability with client code header
(Reported by Alex Villacís Lasso)
[ASTERISK-25974] -
Unused realtime MOH classes not purged on 'moh reload'
(Reported by Sébastien Couture)
[ASTERISK-26916] -
res_pjsip: Excessive refcount reached on transport ao2 object
(Reported by Ross Beer)
[ASTERISK-21721] -
SIP Failed to parse multiple Supported: headers
(Reported by Olle Johansson)
[ASTERISK-26915] -
chan_sip: Session Timers required but refused wrongly.
(Reported by Alexander Traud)
[ASTERISK-26363] -
res_pjsip: Bye sent to sip trunk is not authenticated even after receiving a 407 error code
(Reported by Yaacov Akiba Slama)
[ASTERISK-26896] -
Overflow of buffer to PQEscapeStringConn with large app_args causes ABRT
(Reported by twisted)
[ASTERISK-26705] -
libasteriskssl.so not found when asterisk is installed for the 1st time
(Reported by George Joseph)
[ASTERISK-21009] -
xmpp_pubsub_unsubscribe: Could not create IQ when creating pubsub unsubscription on client
(Reported by Marcello Ceschia)
[ASTERISK-25490] -
[patch]SDP crypto tag is validated incorrectly
(Reported by Joerg Sonnenberger)
[ASTERISK-24712] -
xmpp: starttls problem causes connection spew
(Reported by Matthias Urlichs)
[ASTERISK-26086] -
res_musiconhold: format option is not documented adequately
(Reported by Jens Bürger)
[ASTERISK-23996] -
No core dumps because of res_musiconhold chdir.
(Reported by Walter Doekes)
[ASTERISK-26814] -
pjproject_bundled build fails to download pjproject source when using cURL
(Reported by Gergely Dömsödi)
[ASTERISK-23510] -
JABBER_STATUS fails with improper code 7 for unavailable clients
(Reported by Anthony Critelli)
[ASTERISK-21855] -
Asterisk crashes when XMPP message is sent (JabberSend) and no internet connection is available
(Reported by Jeremy Kister)
[ASTERISK-25622] -
WARNING for "JABBER: socket read error" should be more specific
(Reported by Sean Darcy)
[ASTERISK-26818] -
cdr: Problem setting variables in h exten
(Reported by scgm11)
[ASTERISK-26875] -
app_mixmonitor: Recording out of sync when 183 but no RTP
(Reported by Aaron An)

Improvements made in this release:
-----------------------------------

[ASTERISK-26088] -
Investigate heavy memory utilization by res_pjsip_pubsub
(Reported by Richard Mudgett)
[ASTERISK-26427] -
res_hep_rtcp: Asterisk Master will report channel name with res_hep_rtcp when using chan_sip
(Reported by Nir Simionovich (GreenfieldTech - Israel))

For a full list of changes in this release candidate, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-13.16.0-rc1

23Mag/17Off

Rilasciato Asterisk 14.5.0-rc1

Il giorno 22 maggio 2017, il Team di Sviluppo di Asterisk ha annunciato il rilascio di Asterisk 14.5.0-rc1.

Dal post originale:

The following issues are resolved in this release candidate:

Bugs fixed in this release:
-----------------------------------

[ASTERISK-25665] -
Duplicate logging in queue log for EXITEMPTY events
(Reported by Ove Aursand)
[ASTERISK-26998] -
res_pjsip_session: INVITE retransmissions could still setup the same call again.
(Reported by Richard Mudgett)
[ASTERISK-26143] -
res_rtp_asterisk: One way audio when transcoding
(Reported by Henning Holtschneider)
[ASTERISK-26606] -
tcptls: Incorrect OpenSSL function call leads to misleading error report
(Reported by Bob Ham)
[ASTERISK-26983] -
Crash in Manager Reload when TLS Config Changes
(Reported by Joshua Elson)
[ASTERISK-25032] -
[patch]cel_odbc sometimes inserts CEL with wrong eventtime
(Reported by Etienne Lessard)
[ASTERISK-26173] -
func_cdr: CDR function does not permit empty values to be assigned
(Reported by gkloepfer)
[ASTERISK-25506] -
[patch]CONFBRIDGE failure after an app_confbrige.so module reload results in segfault or error/warning messages.
(Reported by Frederic LE FOLL)
[ASTERISK-24529] -
Using AMI Action Bridge to on an already bridged channel causes the incorrect return priority to be used
(Reported by Corey Farrell)
[ASTERISK-26860] -
Upon RTCP reception, netsock2.c:210 ast_sockaddr_split_hostport: Port missing in (null)
(Reported by Evers Lab)
[ASTERISK-26922] -
chan_sip: tcpbind uses wrong source address
(Reported by Ksenia)
[ASTERISK-26974] -
res_pjsip: Deadlock in T.38 framehook
(Reported by Richard Mudgett)
[ASTERISK-26908] -
res_pjsip: The ChanIsAvail causes a res_pjsip session to be leaked.
(Reported by Richard Mudgett)
[ASTERISK-25823] -
SIGSEGV, Segmentation fault. - ../sysdeps/x86_64/strlen.S: No such file or directory.
(Reported by Andreas Krüger)
[ASTERISK-26951] -
chan_sip: ACK with SDP does not update a direct media bridge
(Reported by Jean Aunis - Prescom)
[ASTERISK-26930] -
pjproject/Makefile.rules for pjsip 2.6 build fails for non-SSE2 instrunction Linux
(Reported by abelbeck)
[ASTERISK-26926] -
func_speex: Crash caused by frame with no datalen
(Reported by Richard Kenner)
[ASTERISK-26929] -
pjsip: Add database tables for RLS
(Reported by Joshua Colp)
[ASTERISK-26953] -
Asterisk crash if hep.conf have some missing parameters
(Reported by Joel Vandal)
[ASTERISK-26890] -
STUN server with non-default-route transport causes INVITE delay
(Reported by George Joseph)
[ASTERISK-26692] -
res_rtp_asterisk: Crash in dtls_srtp_handle_timeout at res_rtp_asterisk (using chan_sip)
(Reported by scgm11)
[ASTERISK-26835] -
res_rtp_asterisk: Crash when freeing RTCP address string
(Reported by Niklas Larsson)
[ASTERISK-26853] -
res_rtp_asterisk: Crash in pjnath when receiving packet
(Reported by Adagio)
[ASTERISK-26613] -
format_wav: wav16 format read file only by 320 - half of frame
(Reported by Vitaly K)
[ASTERISK-26169] -
format_ogg_vorbis: Memory leak using OGG in MixMonitor
(Reported by Ivan Myalkin)
[ASTERISK-21856] -
STUN never works when asterisk started without internet access
(Reported by Jeremy Kister)
[ASTERISK-20984] -
Audible clicks when playing sox encoded au file with STREAM FILE AGI command
(Reported by Roman S.)
[ASTERISK-26851] -
res_pjsip_sdp_rtp: RTP instance does not use same IP as explicit transport
(Reported by Richard Begg)
[ASTERISK-26903] -
Listening TCP/TLS sockets stop when temporarily out of open files
(Reported by Walter Doekes)
[ASTERISK-26528] -
[UBSAN] strings.h:signed integer overflow in ast_str_case_hash
(Reported by Badalian Vyacheslav)
[ASTERISK-26928] -
pjsip: Add database tables for PUBLISH support
(Reported by Joshua Colp)
[ASTERISK-26927] -
pjproject_bundled: Crash on pj_ssl_get_info() while ioqueue_on_read_complete().
(Reported by Alexander Traud)
[ASTERISK-26905] -
pjproject_bundled: Merge 3 upstream deadlock patches into bundled
(Reported by Ross Beer)
[ASTERISK-26897] -
chan_sip: Security vulnerability with client code header
(Reported by Alex Villacís Lasso)
[ASTERISK-25974] -
Unused realtime MOH classes not purged on 'moh reload'
(Reported by Sébastien Couture)
[ASTERISK-26916] -
res_pjsip: Excessive refcount reached on transport ao2 object
(Reported by Ross Beer)
[ASTERISK-21721] -
SIP Failed to parse multiple Supported: headers
(Reported by Olle Johansson)
[ASTERISK-26915] -
chan_sip: Session Timers required but refused wrongly.
(Reported by Alexander Traud)
[ASTERISK-26363] -
res_pjsip: Bye sent to sip trunk is not authenticated even after receiving a 407 error code
(Reported by Yaacov Akiba Slama)
[ASTERISK-26896] -
Overflow of buffer to PQEscapeStringConn with large app_args causes ABRT
(Reported by twisted)
[ASTERISK-26705] -
libasteriskssl.so not found when asterisk is installed for the 1st time
(Reported by George Joseph)
[ASTERISK-21009] -
xmpp_pubsub_unsubscribe: Could not create IQ when creating pubsub unsubscription on client
(Reported by Marcello Ceschia)
[ASTERISK-25490] -
[patch]SDP crypto tag is validated incorrectly
(Reported by Joerg Sonnenberger)
[ASTERISK-24712] -
xmpp: starttls problem causes connection spew
(Reported by Matthias Urlichs)
[ASTERISK-26086] -
res_musiconhold: format option is not documented adequately
(Reported by Jens Bürger)
[ASTERISK-23996] -
No core dumps because of res_musiconhold chdir.
(Reported by Walter Doekes)
[ASTERISK-26814] -
pjproject_bundled build fails to download pjproject source when using cURL
(Reported by Gergely Dömsödi)
[ASTERISK-23510] -
JABBER_STATUS fails with improper code 7 for unavailable clients
(Reported by Anthony Critelli)
[ASTERISK-21855] -
Asterisk crashes when XMPP message is sent (JabberSend) and no internet connection is available
(Reported by Jeremy Kister)
[ASTERISK-25622] -
WARNING for "JABBER: socket read error" should be more specific
(Reported by Sean Darcy)
[ASTERISK-26818] -
cdr: Problem setting variables in h exten
(Reported by scgm11)
[ASTERISK-26875] -
app_mixmonitor: Recording out of sync when 183 but no RTP
(Reported by Aaron An)

Improvements made in this release:
-----------------------------------

[ASTERISK-26088] -
Investigate heavy memory utilization by res_pjsip_pubsub
(Reported by Richard Mudgett)
[ASTERISK-26427] -
res_hep_rtcp: Asterisk Master will report channel name with res_hep_rtcp when using chan_sip
(Reported by Nir Simionovich (GreenfieldTech - Israel))

For a full list of changes in this release candidate, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-13.16.0-rc1