Tags › Pjsip

Asterisk PJSIP: stack corruption via large Accept header in SUBSCRIBE

• Authors:
  • Alfred Farrugia alfred@enablesecurity.com
  • Sandro Gauci sandro@enablesecurity.com
• Latest vulnerable version: Asterisk 15.2.0 running chan_pjsip
• Tested vulnerable versions: 15.2.0, 13.19.0, 14.7.5, 13.11.2
• References: AST-2018-004, CVE-2018-7284
• Advisory URL: https://www.enablesecurity.com/advisories/ES2018-01-asterisk-pjsip-subscribe-stack-corruption/
• Vendor Advisory: http://downloads.asterisk.org/pub/security/AST-2018-004.html
• Timeline:
  • Issue reported to vendor: 2018-01-30
  • Vendor patch made available to us: 2018-02-06
  • Vendor advisory published: 2018-02-21
  • Enable Security advisory: 2018-02-22

Description

A large SUBSCRIBE message with multiple malformed Accept headers will crash Asterisk due to stack corruption.

Impact

Abuse of this vulnerability leads to denial of service in Asterisk when chan_pjsip is in use. Brief analysis indicates that this is an exploitable vulnerability that may lead to remote code execution.

Asterisk PJSIP: crash via repeated INVITE messages over TCP/TLS

• Authors:
  • Alfred Farrugia alfred@enablesecurity.com
  • Sandro Gauci sandro@enablesecurity.com
• Latest vulnerable version: Asterisk 15.2.0 running chan_pjsip installed with --with-pjproject-bundled
• References: AST-2018-005, CVE-2018-7286
• Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2018-04-asterisk-pjsip-tcp-segfault/
• Vendor Advisory: http://downloads.asterisk.org/pub/security/AST-2018-005.html
• Tested vulnerable versions: 15.2.0, 15.1.0, 15.0.0, 13.19.0, 13.11.2, 14.7.5
• Timeline:
  • Issue reported to vendor: 2018-01-24
  • Vendor patch made available to us: 2018-02-05
  • Vendor advisory published: 2018-02-21
  • Enable Security advisory: 2018-02-22

Description

A crash occurs when a number of INVITE messages are sent over TCP or TLS and then the connection is suddenly closed. This issue leads to a segmentation fault.

Asterisk PJSIP: crash via invalid SDP media format description

• Authors:
  • Alfred Farrugia alfred@enablesecurity.com
  • Sandro Gauci sandro@enablesecurity.com
• Latest vulnerable version: Asterisk 15.2.0 running chan_pjsip
• References: AST-2018-002, CVE-2018-1000098
• Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2018-03-asterisk-pjsip-sdp-invalid-media-format-description-segfault/
• Vendor Advisory: http://downloads.asterisk.org/pub/security/AST-2018-002.html
• Tested vulnerable versions: 13.10.0, 15.1.3, 15.1.4, 15.1.5, 15.2.0
• Timeline:
  • Report date: 2018-01-15
  • Vendor patch made available to us: 2018-02-05
  • Vendor advisory published: 2018-02-21
  • Enable Security advisory: 2018-02-22

Description

A specially crafted SDP message body with an invalid media format description causes a segmentation fault in asterisk using chan_pjsip.

Impact

Abuse of this vulnerability leads to denial of service in Asterisk when chan_pjsip is in use.

Asterisk PJSIP: crash via invalid SDP fmtp attribute

• Authors:
  • Alfred Farrugia alfred@enablesecurity.com
  • Sandro Gauci sandro@enablesecurity.com
• Latest vulnerable version: Asterisk 15.2.0 running chan_pjsip
• References: AST-2018-003, CVE-2018-1000099
• Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2018-02-asterisk-pjsip-sdp-invalid-fmtp-segfault/
• Vendor Advisory: http://downloads.asterisk.org/pub/security/AST-2018-003.html
• Timeline:
  • Issue reported to vendor: 2018-01-15
  • Vendor patch made available to us: 2018-02-05
  • Vendor advisory published: 2018-02-21
  • Enable Security advisory: 2018-02-22

Description

A specially crafted SDP message body with an invalid fmtp attribute causes a segmentation fault in asterisk using chan_pjsip.

Impact

Abuse of this vulnerability leads to denial of service in Asterisk when chan_pjsip is in use.

Asterisk PJSIP: out-of-bound memory access in multipart parser

• Authors:
  • Alfred Farrugia alfred@enablesecurity.com
  • Sandro Gauci sandro@enablesecurity.com
• Vulnerable version: Asterisk 14.4.0 running chan_pjsip, PJSIP 2.6
• References: AST-2017-003
• Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2017-02-asterisk-pjsip-multi-part-crash/
• Vendor Advisory: http://downloads.asterisk.org/pub/security/AST-2017-003.html
• Timeline:
  • Report date: 2017-04-13
  • Digium confirmed issue: 2017-04-13
  • Digium patch and advisory: 2017-05-19
  • PJSIP added patch by Digium: 2017-05-21
  • Enable Security advisory: 2017-05-23

Description

A specially crafted SIP message with a malformed multipart body was found to cause a segmentation fault.

Impact

Abuse of this vulnerability leads to denial of service (DoS), and potentially remote code execution (RCE), in Asterisk when chan_pjsip is in use. This vulnerability is likely to affect other code that makes use of PJSIP.

Asterisk PJSIP: heap overflow in CSeq header parsing

• Authors:
  • Alfred Farrugia alfred@enablesecurity.com
  • Sandro Gauci sandro@enablesecurity.com
• Vulnerable version: Asterisk 14.4.0 running chan_pjsip, PJSIP 2.6
• References: AST-2017-002, CVE-2017-9372
• Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2017-01-asterisk-pjsip-cseq-overflow/
• Vendor Advisory: http://downloads.asterisk.org/pub/security/AST-2017-002.html
• Timeline:
  • Report date: 2017-04-12
  • Digium confirmed issue: 2017-04-12
  • Digium patch and advisory: 2017-05-19
  • PJSIP added patch by Digium: 2017-05-21
  • Enable Security advisory: 2017-05-23

Description

A specially crafted SIP message with a long CSEQ value will cause a heap overflow in PJSIP.

Impact

Abuse of this vulnerability leads to denial of service in Asterisk when chan_pjsip is in use. This vulnerability is likely to be abused for remote code execution and may affect other code that makes use of PJSIP.