[asterisk-users] AST-2014-005: Remote Crash in PJSIP Channel Driver's Publish/Subscribe Framework

Asterisk Security Team security at asterisk.org
Thu Jun 12 15:43:43 CDT 2014

               Asterisk Project Security Advisory - AST-2014-005

         Product        Asterisk                                              
         Summary        Remote Crash in PJSIP Channel Driver's                
                        Publish/Subscribe Framework                           
    Nature of Advisory  Denial of Service                                     
      Susceptibility    Remote Unauthenticated Sessions                       
         Severity       Moderate                                              
      Exploits Known    No                                                    
       Reported On      March 17, 2014                                        
       Reported By      John Bigelow <jbigelow AT digium DOT com>             
        Posted On       June 12, 2014                                         
     Last Updated On    June 12, 2014                                         
     Advisory Contact   Kevin Harwell <kharwell AT digium DOT com>            
         CVE Name       CVE-2014-4045                                         

    Description  A remotely exploitable crash vulnerability exists in the     
                 PJSIP channel driver's pub/sub framework. If an attempt is   
                 made to unsubscribe when not currently subscribed and the    
                 endpoint's "sub_min_expiry" is set to zero, Asterisk tries   
                 to create an expiration timer with zero seconds, which is    
                 not allowed, so an assertion raised.                         

    Resolution  Upgrade to a version with the patch integrated, apply the     
                patch, or make sure the "sub_min_expiry" endpoint             
                configuration option is greater than zero.                    

                               Affected Versions
                 Product               Release Series  
          Asterisk Open Source              12.x       All                    

                                  Corrected In    
                      Product                              Release            
             Asterisk Open Source 12.x                      12.3.1            

                               SVN URL                              Revision  
   http://downloads.asterisk.org/pub/security/AST-2014-005-12.diff Asterisk   

       Links     https://issues.asterisk.org/jira/browse/ASTERISK-23489       

    Asterisk Project Security Advisories are posted at                        
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    http://downloads.digium.com/pub/security/AST-2014-005.pdf and             

                                Revision History
          Date                  Editor                 Revisions Made         
    April 14, 2014     Kevin Harwell             Document Creation            
    June 12, 2014      Matt Jordan               Added CVE                    

               Asterisk Project Security Advisory - AST-2014-005
              Copyright (c) 2014 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

More information about the asterisk-users mailing list