[asterisk-dev] AST-2014-002: Denial of Service Through File Descriptor Exhaustion with chan_sip Session-Timers

Asterisk Security Team security at asterisk.org
Mon Mar 10 16:06:52 CDT 2014


               Asterisk Project Security Advisory - AST-2014-002

         Product        Asterisk                                              
         Summary        Denial of Service Through File Descriptor Exhaustion  
                        with chan_sip Session-Timers                          
    Nature of Advisory  Denial of Service                                     
      Susceptibility    Remote Authenticated or Anonymous Sessions            
         Severity       Moderate                                              
      Exploits Known    No                                                    
       Reported On      2014/02/25                                            
       Reported By      Corey Farrell                                         
        Posted On       March 10, 2014                                        
     Last Updated On    March 10, 2014                                        
     Advisory Contact   Kinsey Moore <kmoore AT digium DOT com>               
         CVE Name       CVE-2014-2287                                         

    Description  An attacker can use all available file descriptors using     
                 SIP INVITE requests.                                         
                                                                              
                 Knowledge required to achieve the attack:                    
                                                                              
                 * Valid account credentials or anonymous dial in             
                                                                              
                 * A valid extension that can be dialed from the SIP account  
                                                                              
                 Trigger conditions:                                          
                                                                              
                 * chan_sip configured with "session-timers" set to           
                 "originate" or "accept"                                      
                                                                              
                 ** The INVITE request must contain either a Session-Expires  
                 or a Min-SE header with malformed values or values           
                 disallowed by the system's configuration.                    
                                                                              
                 * chan_sip configured with "session-timers" set to "refuse"  
                                                                              
                 ** The INVITE request must offer "timer" in the "Supported"  
                 header                                                       
                                                                              
                 Asterisk will respond with code 400, 420, or 422 for         
                 INVITEs meeting this criteria. Each INVITE meeting these     
                 conditions will leak a channel and several file              
                 descriptors. The file descriptors cannot be released         
                 without restarting Asterisk which may allow intrusion        
                 detection systems to be bypassed by sending the requests     
                 slowly.                                                      

    Resolution  Upgrade to a version with the patch integrated or apply the   
                appropriate patch.                                            

                               Affected Versions
                 Product               Release Series  
          Asterisk Open Source             1.8.x       All                    
          Asterisk Open Source              11.x       All                    
          Asterisk Open Source              12.x       All                    
           Certified Asterisk              1.8.15      All                    
           Certified Asterisk               11.6       All                    

                                  Corrected In  
                     Product                              Release             
            Asterisk Open Source 1.8.x                    1.8.26.1            
            Asterisk Open Source 11.x                      11.8.1             
            Asterisk Open Source 12.x                      12.1.1             
            Certified Asterisk 1.8.15                   1.8.15-cert5          
             Certified Asterisk 11.6                     11.6-cert2           

                                      Patches                          
                                 SVN URL                               Revision  
   http://downloads.asterisk.org/pub/security/AST-2014-002-1.8.diff    Asterisk  
                                                                       1.8       
   http://downloads.asterisk.org/pub/security/AST-2014-002-11.diff     Asterisk  
                                                                       11        
   http://downloads.asterisk.org/pub/security/AST-2014-002-12.diff     Asterisk  
                                                                       12        
   http://downloads.asterisk.org/pub/security/AST-2014-002-11.6.diff   Asterisk  
                                                                       11.6      
                                                                       Certified 
   http://downloads.asterisk.org/pub/security/AST-2014-002-1.8.15.diff Asterisk  
                                                                       1.8.15    
                                                                       Certified 

       Links     https://issues.asterisk.org/jira/browse/ASTERISK-23373       

    Asterisk Project Security Advisories are posted at                        
    http://www.asterisk.org/security                                          
                                                                              
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    http://downloads.digium.com/pub/security/AST-2014-002.pdf and             
    http://downloads.digium.com/pub/security/AST-2014-002.html                

                                Revision History
        Date           Editor                    Revisions Made               
    2014/03/04     Kinsey Moore     Document Creation                         
    2014/03/06     Kinsey Moore     Corrections and Wording Clarification     
    2014/03/10     Kinsey Moore     Added missing patch links                 

               Asterisk Project Security Advisory - AST-2014-002
              Copyright (c) 2014 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.




More information about the asterisk-dev mailing list