Asterisk Open Source 1.8.x before 1.8.19.1, 10.x before 10.11.1, and 11.x before 11.1.2; Certified Asterisk 1.8.11 before 1.8.11-cert10; and Asterisk Digiumphones 10.x-digiumphones before 10.11.1-digiumphones, when anonymous calls are enabled, allow remote attackers to cause a denial of service (resource consumption) by making anonymous calls from multiple sources and consequently adding many entries to the device state cache.

The remote host is affected by the vulnerability described in GLSA-201401-15 (Asterisk: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Asterisk. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could execute arbitrary code with the privileges of       the process, cause a Denial of Service condition, or obtain sensitive       information.
  Workaround :

    There is no known workaround at this time.

According to the version in its SIP banner, the version of Asterisk running on the remote host is potentially affected by the following vulnerabilities :

  - A stack-based buffer overflow error exists related to SIP, HTTP and XMPP handling over TCP. Note that in the case of 'Certified Asterisk', SIP is not affected. Further note that in the case of XMPP, an attacker must establish an authenticated session first. (CVE-2012-5976)

  - An error exists related to device state cache and anonymous calls that could allow system resources to be exhausted. Note this vulnerability only affects systems configured to allow anonymous calls. (CVE-2012-5977)

According to the version in its SIP banner, the version of Asterisk running on the remote host is potentially affected by the following vulnerabilities :

 - A stack-based buffer overflow error exists related to    SIP, HTTP and XMPP handling over TCP. Note that in the    case of 'Certified Asterisk', SIP is not affected.
   Further note that in the case of XMPP, an attacker must    establish an authenticated session first. (CVE-2012-5976)

 - An error exists related to device state cache and    anonymous calls that could allow system resources to be    exhausted. Note this vulnerability only affects systems    configured to allow anonymous calls. (CVE-2012-5977)

The Asterisk Development Team has announced the release of Asterisk 11.2.0. This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 11.2.0 resolves several issues reported by the community and would have not been possible without your participation.
Thank you!

The following is a sample of the issues resolved in this release :

  - --- app_meetme: Fix channels lingering when hung up     under certain conditions (Closes issue ASTERISK-20486.
    Reported by Michael Cargile)

  - --- Fix stuck DTMF when bridge is broken. (Closes issue     ASTERISK-20492. Reported by Jeremiah Gowdy)

  - --- Add missing support for 'who hung up' to chan_motif.
    (Closes issue ASTERISK-20671. Reported by Matt Jordan)

  - --- Remove a fixed size limitation for producing SDP and     change how ICE support is disabled by default. (Closes     issue ASTERISK-20643. Reported by coopvr)

  - --- Fix chan_sip websocket payload handling (Closes     issue ASTERISK-20745. Reported by Inaki Baz Castillo)

  - --- Fix pjproject compilation in certain circumstances     (Closes issue ASTERISK-20681. Reported by Dinesh     Ramjuttun)

For a full list of changes in this release, please see the ChangeLog :

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.2.0 The Asterisk Development Team has announced a security release for Asterisk 11, Asterisk 11.1.2. This release addresses the security vulnerabilities reported in AST-2012-014 and AST-2012-015, and replaces the previous version of Asterisk 11 released for these security vulnerabilities. The prior release left open a vulnerability in res_xmpp that exists only in Asterisk 11; as such, other versions of Asterisk were resolved correctly by the previous releases.

This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of these versions resolve the following two issues :

  - Stack overflows that occur in some portions of Asterisk     that manage a TCP connection. In SIP, this is     exploitable via a remote unauthenticated session; in     XMPP and HTTP connections, this is exploitable via     remote authenticated sessions. The vulnerabilities in     SIP and HTTP were corrected in a prior release of     Asterisk; the vulnerability in XMPP is resolved in this     release.

  - A denial of service vulnerability through exploitation     of the device state cache. Anonymous calls had the     capability to create devices in Asterisk that would     never be disposed of. Handling the cachability of device     states aggregated via XMPP is handled in this release.

These issues and their resolutions are described in the security advisories.

For more information about the details of these vulnerabilities, please read security advisories AST-2012-014 and AST-2012-015.

For a full list of changes in the current release, please see the ChangeLog :

http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-11.1.2

The security advisories are available at :

  -     http://downloads.asterisk.org/pub/security/AST-2012-014.
    pdf

    -       http://downloads.asterisk.org/pub/security/AST-2012-01       5.pdf

Thank you for your continued support of Asterisk - and we apologize for having to do this twice!

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Asterisk Development Team has announced the release of Asterisk 10.12.0. This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 10.12.0 resolves several issues reported by the community and would have not been possible without your participation. Thank you!

The following is a sample of the issues resolved in this release :

  - --- app_meetme: Fix channels lingering when hung up     under certain conditions (Closes issue ASTERISK-20486.
    Reported by Michael Cargile)

  - --- Fix stuck DTMF when bridge is broken. (Closes issue     ASTERISK-20492. Reported by Jeremiah Gowdy)

  - --- Improve Code Readability And Fix Setting natdetected     Flag (Closes issue ASTERISK-20724. Reported by Michael     L. Young)

  - --- Fix extension matching with the '-' char. (Closes     issue ASTERISK-19205. Reported by Philippe Lindheimer,     Birger 'WIMPy' Harzenetter)

  - --- Fix call files when astspooldir is relative. (Closes     issue ASTERISK-20593. Reported by James Le Cuirot)

For a full list of changes in this release, please see the ChangeLog :

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.12.0

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Asterisk Development Team has announced the release of Asterisk 1.8.20.0. This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 1.8.20.0 resolves several issues reported by the community and would have not been possible without your participation. Thank you!

The following is a sample of the issues resolved in this release :

  - --- app_meetme: Fix channels lingering when hung up     under certain conditions (Closes issue ASTERISK-20486.
    Reported by Michael Cargile)

  - --- Fix stuck DTMF when bridge is broken. (Closes issue     ASTERISK-20492. Reported by Jeremiah Gowdy)

  - --- Improve Code Readability And Fix Setting natdetected     Flag (Closes issue ASTERISK-20724. Reported by Michael     L. Young)

  - --- Fix extension matching with the '-' char. (Closes     issue ASTERISK-19205. Reported by Philippe Lindheimer,     Birger 'WIMPy' Harzenetter)

  - --- Fix call files when astspooldir is relative. (Closes     issue ASTERISK-20593. Reported by James Le Cuirot)

For a full list of changes in this release, please see the ChangeLog :

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.20.
0

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities were discovered in Asterisk, a PBX and telephony toolkit, that allow remote attackers to perform denial of service attacks.

Asterisk project reports :

Crashes due to large stack allocations when using TCP

Denial of Service Through Exploitation of Device State Caching

ID	Name	Product	Family	Severity
72054	GLSA-201401-15 : Asterisk: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
6690	Asterisk Peer Multiple Vulnerabilities (AST-2012-014 / AST-2012-015)	Nessus Network Monitor	Generic	high
64717	Asterisk Multiple Vulnerabilities (AST-2012-014 / AST-2012-015)	Nessus	Misc.	medium
64372	Fedora 18 : asterisk-11.2.0-1.fc18 (2013-1003)	Nessus	Fedora Local Security Checks	medium
64370	Fedora 17 : asterisk-10.12.0-1.fc17 (2013-0994)	Nessus	Fedora Local Security Checks	medium
64369	Fedora 16 : asterisk-1.8.20.0-1.fc16 (2013-0992)	Nessus	Fedora Local Security Checks	medium
63511	Debian DSA-2605-2 : asterisk - several issues	Nessus	Debian Local Security Checks	medium
63379	FreeBSD : asterisk -- multiple vulnerabilities (f7c87a8a-55d5-11e2-a255-c8600054b392)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2012-5977

high

Tenable Plugins

high

high

medium

medium

medium

medium

medium

medium