Tags › Asterisk
Asterisk PJSIP: stack corruption via large Accept header in SUBSCRIBE
Published on Feb 22, 2018 in CVE-2018-7284, asterisk, pjsip, stack corruption, denial of service, security advisory
- Authors:
- Alfred Farrugia alfred@enablesecurity.com
- Sandro Gauci sandro@enablesecurity.com
- Latest vulnerable version: Asterisk 15.2.0 running
chan_pjsip - Tested vulnerable versions: 15.2.0, 13.19.0, 14.7.5, 13.11.2
- References: AST-2018-004, CVE-2018-7284
- Advisory URL: https://www.enablesecurity.com/advisories/ES2018-01-asterisk-pjsip-subscribe-stack-corruption/
- Vendor Advisory: http://downloads.asterisk.org/pub/security/AST-2018-004.html
- Timeline:
- Issue reported to vendor: 2018-01-30
- Vendor patch made available to us: 2018-02-06
- Vendor advisory published: 2018-02-21
- Enable Security advisory: 2018-02-22
Description
A large SUBSCRIBE message with multiple malformed Accept headers will crash Asterisk due to stack corruption.
Impact
Abuse of this vulnerability leads to denial of service in Asterisk when chan_pjsip is in use. Brief analysis indicates that this is an exploitable vulnerability that may lead to remote code execution.
Asterisk: RTP Bleed vulnerability
Published on Sep 1, 2017 in CVE-2017-14099, asterisk, owasp, security advisory
- Authors:
- Klaus-Peter Junghanns kapejod@gmail.com
- Sandro Gauci sandro@enablesecurity.com
- Vulnerable version: Asterisk 11.4.0 to 14.6.1 (fix incomplete)
- References: AST-2017-005, AST-2017-008, CVE-2017-14099
- Advisory URL: https://www.enablesecurity.com/advisories/ES2017-04-asterisk-rtp-bleed/
- Timeline:
- First report date: 2011-09-11
- Fix applied: 2011-09-21
- Issue apparently reintroduced: 2013-03-07
- New report date: 2017-05-17
- Vendor patch provided for testing: 2017-05-23
- Vendor advisory: 2017-08-31
- Enable Security advisory: 2017-09-01
- Vendor updated advisory: 2017-09-19
Description
When Asterisk is configured with the nat=yes and strictrtp=yes (on by default) options, it is vulnerable to an attack which we call RTP Bleed. Further information about the attack can be found at https://rtpbleed.com.
Asterisk Skinny: memory exhaustion denial of service
Published on May 23, 2017 in asterisk, denial of service, security advisory
- Authors:
- Alfred Farrugia alfred@enablesecurity.com
- Sandro Gauci sandro@enablesecurity.com
- Vulnerable version: Asterisk 14.4.0 with
chan_skinnyenabled - References: AST-2017-004
- Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2017-03-asterisk-chan-skinny-crash/
- Vendor Advisory: http://downloads.asterisk.org/pub/security/AST-2017-004.html
- Timeline:
- Report date: 2017-04-13
- Digium confirmed issue: 2017-04-13
- Digium patch and advisory: 2017-05-19
- Enable Security advisory: 2017-05-23
Description
Sending one malformed Skinny message to port 2000 will exhaust Asterisk’s memory resulting in a crash.
Impact
Abuse of this issue allows attackers to crash Asterisk when Skinny is exposed to attackers.
How to reproduce the issue
Start Asterisk and make sure the chan_skinny module is loaded. Then execute:
Asterisk PJSIP: out-of-bound memory access in multipart parser
Published on May 23, 2017 in asterisk, pjsip, denial of service, security advisory
- Authors:
- Alfred Farrugia alfred@enablesecurity.com
- Sandro Gauci sandro@enablesecurity.com
- Vulnerable version: Asterisk 14.4.0 running
chan_pjsip, PJSIP 2.6 - References: AST-2017-003
- Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2017-02-asterisk-pjsip-multi-part-crash/
- Vendor Advisory: http://downloads.asterisk.org/pub/security/AST-2017-003.html
- Timeline:
- Report date: 2017-04-13
- Digium confirmed issue: 2017-04-13
- Digium patch and advisory: 2017-05-19
- PJSIP added patch by Digium: 2017-05-21
- Enable Security advisory: 2017-05-23
Description
A specially crafted SIP message with a malformed multipart body was found to cause a segmentation fault.
Impact
Abuse of this vulnerability leads to denial of service (DoS), and potentially remote code execution (RCE), in Asterisk when chan_pjsip is in use. This vulnerability is likely to affect other code that makes use of PJSIP.
Asterisk PJSIP: heap overflow in CSeq header parsing
Published on May 23, 2017 in CVE-2017-9372, asterisk, pjsip, heap overflow, security advisory
- Authors:
- Alfred Farrugia alfred@enablesecurity.com
- Sandro Gauci sandro@enablesecurity.com
- Vulnerable version: Asterisk 14.4.0 running
chan_pjsip, PJSIP 2.6 - References: AST-2017-002, CVE-2017-9372
- Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2017-01-asterisk-pjsip-cseq-overflow/
- Vendor Advisory: http://downloads.asterisk.org/pub/security/AST-2017-002.html
- Timeline:
- Report date: 2017-04-12
- Digium confirmed issue: 2017-04-12
- Digium patch and advisory: 2017-05-19
- PJSIP added patch by Digium: 2017-05-21
- Enable Security advisory: 2017-05-23
Description
A specially crafted SIP message with a long CSEQ value will cause a heap overflow in PJSIP.
Impact
Abuse of this vulnerability leads to denial of service in Asterisk when chan_pjsip is in use. This vulnerability is likely to be abused for remote code execution and may affect other code that makes use of PJSIP.
If SIPVicious gives you a ring…
Published on Dec 10, 2012 in asterisk, cyber crime, sip security, sipvicious oss, security tools
Note: SIPVicious version 0.28 is out, go get it.
I like to keep an eye on the social media and Google alerts for SIPVicious and in the last few months I noticed a rise in mentions of the tools. Specifically, a number of Korean twitter users (who have their service with KT, a VoIP service provider) complaining about receiving a call from a caller-id showing ‘SIPVicious’.
…