Tags › Denial of Service

Asterisk Skinny: memory exhaustion denial of service

• Authors:
  • Alfred Farrugia alfred@enablesecurity.com
  • Sandro Gauci sandro@enablesecurity.com
• Vulnerable version: Asterisk 14.4.0 with chan_skinny enabled
• References: AST-2017-004
• Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2017-03-asterisk-chan-skinny-crash/
• Vendor Advisory: http://downloads.asterisk.org/pub/security/AST-2017-004.html
• Timeline:
  • Report date: 2017-04-13
  • Digium confirmed issue: 2017-04-13
  • Digium patch and advisory: 2017-05-19
  • Enable Security advisory: 2017-05-23

Description

Sending one malformed Skinny message to port 2000 will exhaust Asterisk’s memory resulting in a crash.

Impact

Abuse of this issue allows attackers to crash Asterisk when Skinny is exposed to attackers.

How to reproduce the issue

Start Asterisk and make sure the chan_skinny module is loaded. Then execute:

Asterisk PJSIP: out-of-bound memory access in multipart parser

• Authors:
  • Alfred Farrugia alfred@enablesecurity.com
  • Sandro Gauci sandro@enablesecurity.com
• Vulnerable version: Asterisk 14.4.0 running chan_pjsip, PJSIP 2.6
• References: AST-2017-003
• Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2017-02-asterisk-pjsip-multi-part-crash/
• Vendor Advisory: http://downloads.asterisk.org/pub/security/AST-2017-003.html
• Timeline:
  • Report date: 2017-04-13
  • Digium confirmed issue: 2017-04-13
  • Digium patch and advisory: 2017-05-19
  • PJSIP added patch by Digium: 2017-05-21
  • Enable Security advisory: 2017-05-23

Description

A specially crafted SIP message with a malformed multipart body was found to cause a segmentation fault.

Impact

Abuse of this vulnerability leads to denial of service (DoS), and potentially remote code execution (RCE), in Asterisk when chan_pjsip is in use. This vulnerability is likely to affect other code that makes use of PJSIP.