[asterisk-dev] Asterisk 11.25.2, 13.17.1, 14.6.1, 11.6-cert17, 13.13-cert5 Now Available (Security Release)
Asterisk Development Team
asteriskteam at digium.com
Thu Aug 31 14:25:25 CDT 2017
The Asterisk Development Team has announced security releases for Asterisk
11, 13, and 14, and for Certified Asterisk 11.6 and 13.13. The
available security
release versions are 11.25.2, 13.17.1, 14.6.1, 11.6-cert17, and 13.13-cert5.
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/
The release of these versions resolves the following security
vulnerabilities:
* AST-2017-005 (applied to all released versions): The "strictrtp" option
in rtp.conf enables a feature of the RTP stack that learns the source
address of media for a session and drops any packets that do not originate
from the expected address. This option is enabled by default in Asterisk 11
and above.
The "nat" and "rtp_symmetric" options for chan_sip and chan_pjsip
respectively enable symmetric RTP support in the RTP stack. This uses the
source address of incoming media as the target address of any sent media.
This option is not enabled by default but is commonly enabled to handle devices
behind NAT.
A change was made to the strict RTP support in the RTP stack to better
tolerate late media when a reinvite occurs. When combined with the
symmetric RTP support this introduced an avenue where media could be
hijacked. Instead of only learning a new address when expected the new
code allowed
a new source address to be learned at all times.
If a flood of RTP traffic was received the strict RTPsupport would allow
the new address to provide media and with symmetric RTP enabled outgoing
traffic would be sent to this new address, allowing the media to be
hijacked. Provided the attacker continued to send traffic they would continue
to receive traffic as well.
* AST-2017-006 (applied to all released versions): The app_minivm module
has an “externnotify” program configuration option that is executed by the
MinivmNotify dialplan application. The application uses the caller-id name
and number as part of a built string passed to the OS shell for
interpretation and execution. Since the caller-id name and number can come
from an untrusted source, a crafted caller-id name or number allows an
arbitrary shell command injection.
* AST-2017-007 (applied only to 13.17.1 and 14.6.1): A carefully crafted
URI in a From, To or Contact header could cause Asterisk to crash.
For a full list of changes in the current releases, please see the
ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/
releases/ChangeLog-11.25.2
<http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.25.2>
http://downloads.asterisk.org/pub/telephony/asterisk/
releases/ChangeLog-13.17.1
http://downloads.asterisk.org/pub/telephony/asterisk/
releases/ChangeLog-14.6.1
http://downloads.asterisk.org/pub/telephony/certified-
asterisk/releases/ChangeLog-11.6-cert17
http://downloads.asterisk.org/pub/telephony/certified-
asterisk/releases/ChangeLog-13.13-cert5
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2017-005.pdf
* http://downloads.asterisk.org/pub/security/AST-2017-006.pdf
* http://downloads.asterisk.org/pub/security/AST-2017-007.pdf
Thank you for your continued support of Asterisk!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20170831/967deb92/attachment.html>
More information about the asterisk-dev
mailing list