[asterisk-security] AST-2015-001: File descriptor leak when incompatible codecs are offered

Asterisk Security Team security at asterisk.org
Wed Jan 28 17:29:17 CST 2015


               Asterisk Project Security Advisory - AST-2015-001

         Product        Asterisk                                              
         Summary        File descriptor leak when incompatible codecs are     
                        offered                                               
    Nature of Advisory  Resource exhaustion                                   
      Susceptibility    Remote Authenticated Sessions                         
         Severity       Major                                                 
      Exploits Known    No                                                    
       Reported On      6 January, 2015                                       
       Reported By      Y Ateya                                               
        Posted On       9 January, 2015                                       
     Last Updated On    January 28, 2015                                      
     Advisory Contact   Mark Michelson <mmichelson AT digium DOT com>         
         CVE Name       Pending                                               

    Description  Asterisk may be configured to only allow specific audio or   
                 video codecs to be used when communicating with a            
                 particular endpoint. When an endpoint sends an SDP offer     
                 that only lists codecs not allowed by Asterisk, the offer    
                 is rejected. However, in this case, RTP ports that are       
                 allocated in the process are not reclaimed.                  
                                                                              
                 This issue only affects the PJSIP channel driver in          
                 Asterisk. Users of the chan_sip channel driver are not       
                 affected.                                                    
                                                                              
                 As the resources are allocated after authentication, this    
                 issue only affects communications with authenticated         
                 endpoints.                                                   

    Resolution  The reported leak has been patched.                           

                               Affected Versions       
                         Product                       Release  
                                                       Series   
                  Asterisk Open Source                  1.8.x   Unaffected    
                  Asterisk Open Source                  11.x    Unaffected    
                  Asterisk Open Source                  12.x    All versions  
                  Asterisk Open Source                  13.x    All versions  
                   Certified Asterisk                  1.8.28   Unaffected    
                   Certified Asterisk                   11.6    Unaffected    

                                  Corrected In                
                            Product                              Release      
                      Asterisk Open Source                    12.8.1, 13.1.1  

                                    Patches                          
                                SVN URL                              Revision 
   http://downloads.asterisk.org/pub/security/AST-2015-001-12.diff   Asterisk 
                                                                     12       
   http://downloads.asterisk.org/pub/security/AST-2015-001-13.diff   Asterisk 
                                                                     13       

    Links  https://issues.asterisk.org/jira/browse/ASTERISK-24666             

    Asterisk Project Security Advisories are posted at                        
    http://www.asterisk.org/security                                          
                                                                              
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    http://downloads.digium.com/pub/security/AST-2015-001.pdf and             
    http://downloads.digium.com/pub/security/AST-2015-001.html                

                                Revision History
         Date            Editor                  Revisions Made               
    9 January, 2015  Mark Michelson  Initial creation                         

               Asterisk Project Security Advisory - AST-2015-001
              Copyright (c) 2015 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.




More information about the asterisk-security mailing list