main/http.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1, and 12.1.x before 12.1.1, and Certified Asterisk 1.8.x before 1.8.15-cert5 and 11.6 before 11.6-cert2, allows remote attackers to cause a denial of service (stack consumption) and possibly execute arbitrary code via an HTTP request with a large number of Cookie headers.

CVE-2014-6610 Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dialplan application.

CVE-2014-4046 Asterisk Open Source 11.x before 11.10.1 and 12.x before 12.3.1 and Certified Asterisk 11.6 before 11.6-cert3 allows remote authenticated Manager users to execute arbitrary shell commands via a MixMonitor action.

CVE-2014-2286 main/http.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1, and 12.1.x before 12.1.1, and Certified Asterisk 1.8.x before 1.8.15-cert5 and 11.6 before 11.6-cert2, allows remote attackers to cause a denial of service (stack consumption) and possibly execute arbitrary code via an HTTP request with a large number of Cookie headers.

CVE-2014-8412 The (1) VoIP channel drivers, (2) DUNDi, and (3) Asterisk Manager Interface (AMI) in Asterisk Open Source 1.8.x before 1.8.32.1, 11.x before 11.14.1, 12.x before 12.7.1, and 13.x before 13.0.1 and Certified Asterisk 1.8.28 before 1.8.28-cert3 and 11.6 before 11.6-cert8 allows remote attackers to bypass the ACL restrictions via a packet with a source IP that does not share the address family as the first ACL entry.

CVE-2014-8418 The DB dialplan function in Asterisk Open Source 1.8.x before 1.8.32, 11.x before 11.1.4.1, 12.x before 12.7.1, and 13.x before 13.0.1 and Certified Asterisk 1.8 before 1.8.28-cert8 and 11.6 before 11.6-cert8 allows remote authenticated users to gain privileges via a call from an external protocol, as demonstrated by the AMI protocol.

CVE-2015-3008 Asterisk Open Source 1.8 before 1.8.32.3, 11.x before 11.17.1, 12.x before 12.8.2, and 13.x before 13.3.2 and Certified Asterisk 1.8.28 before 1.8.28-cert5, 11.6 before 11.6-cert11, and 13.1 before 13.1-cert2, when registering a SIP TLS device, does not properly handle a null byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201405-05 (Asterisk: Denial of Service)

    Multiple vulnerabilities have been discovered in Asterisk. Please review       the CVE identifiers and Asterisk Project Security Advisories referenced       below for details.
  Impact :

    A remote attacker could possibly cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

Multiple vulnerabilities has been discovered and corrected in asterisk :

Sending a HTTP request that is handled by Asterisk with a large number of Cookie headers could overflow the stack. You could even exhaust memory if you sent an unlimited number of headers in the request (CVE-2014-2286).

An attacker can use all available file descriptors using SIP INVITE requests. Asterisk will respond with code 400, 420, or 422 for INVITEs meeting this criteria. Each INVITE meeting these conditions will leak a channel and several file descriptors. The file descriptors cannot be released without restarting Asterisk which may allow intrusion detection systems to be bypassed by sending the requests slowly (CVE-2014-2287).

The updated packages has been upgraded to the 11.8.1 version which is not vulnerable to these issues.

The Asterisk Development Team has announced security releases for Certified Asterisk 1.8.15, 11.6, and Asterisk 1.8, 11, and 12. The available security releases are released as versions 1.8.15-cert5, 11.6-cert2, 1.8.26.1, 11.8.1, and 12.1.1.

These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of these versions resolve the following issues :

  - AST-2014-001: Stack overflow in HTTP processing of     Cookie headers.

    Sending a HTTP request that is handled by Asterisk with     a large number of Cookie headers could overflow the     stack.

    Another vulnerability along similar lines is any HTTP     request with a ridiculous number of headers in the     request could exhaust system memory.

  - AST-2014-002: chan_sip: Exit early on bad session timers     request

    This change allows chan_sip to avoid creation of the     channel and consumption of associated file descriptors     altogether if the inbound request is going to be     rejected anyway.

Additionally, the release of 12.1.1 resolves the following issue :

  - AST-2014-003: res_pjsip: When handling 401/407 responses     don't assume a request will have an endpoint.

    This change removes the assumption that an outgoing     request will always have an endpoint and makes the     authenticate_qualify option work once again.

Finally, a security advisory, AST-2014-004, was released for a vulnerability fixed in Asterisk 12.1.0. Users of Asterisk 12.0.0 are encouraged to upgrade to 12.1.1 to resolve both vulnerabilities.

These issues and their resolutions are described in the security advisories.

For more information about the details of these vulnerabilities, please read security advisories AST-2014-001, AST-2014-002, AST-2014-003, and AST-2014-004, which were released at the same time as this announcement.

For a full list of changes in the current releases, please see the ChangeLogs :

http://downloads.asterisk.org/pub/telephony/certified-asterisk/release s/ChangeLog-1.8.15-cert5 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-1.8.26.1 http://downloads.asterisk.org/pub/telephony/certified-asterisk/release s/ChangeLog-11.6-cert2 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-11.8.1 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-12.1.1

The security advisories are available at :

  -     http://downloads.asterisk.org/pub/security/AST-2014-001.
    pdf

    -       http://downloads.asterisk.org/pub/security/AST-2014-00       2.pdf

    -       http://downloads.asterisk.org/pub/security/AST-2014-00       3.pdf

    -       http://downloads.asterisk.org/pub/security/AST-2014-00       4.pdf The Asterisk Development Team has announced the       release of Asterisk 11.8.0. This release is available       for immediate download at       http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 11.8.0 resolves several issues reported by the community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release :

Bugs fixed in this release :

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the version in its SIP banner, the version of Asterisk running on the remote host is potentially affected by a denial of service vulnerability. 

A stack overflow flaw exists when an HTTP request with a large number of cookie headers isn't properly validated.  A remote attacker could potentially cause a denial of service if a request has an unlimited number of cookie headers in the request. 

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Asterisk project reports :

Stack Overflow in HTTP Processing of Cookie Headers. Sending a HTTP request that is handled by Asterisk with a large number of Cookie headers could overflow the stack. You could even exhaust memory if you sent an unlimited number of headers in the request.

Denial of Service Through File Descriptor Exhaustion with chan_sip Session-Timers. An attacker can use all available file descriptors using SIP INVITE requests. Asterisk will respond with code 400, 420, or 422 for INVITEs meeting this criteria. Each INVITE meeting these conditions will leak a channel and several file descriptors. The file descriptors cannot be released without restarting Asterisk which may allow intrusion detection systems to be bypassed by sending the requests slowly.

Remote Crash Vulnerability in PJSIP channel driver. A remotely exploitable crash vulnerability exists in the PJSIP channel driver if the 'qualify_frequency' configuration option is enabled on an AOR and the remote SIP server challenges for authentication of the resulting OPTIONS request. The response handling code wrongly assumes that a PJSIP endpoint will always be associated with an outgoing request which is incorrect.

ID	Name	Product	Family	Severity
90873	Debian DLA-455-1 : asterisk security update	Nessus	Debian Local Security Checks	high
73861	GLSA-201405-05 : Asterisk: Denial of Service	Nessus	Gentoo Local Security Checks	high
73582	Mandriva Linux Security Advisory : asterisk (MDVSA-2014:078)	Nessus	Mandriva Local Security Checks	high
73142	Fedora 19 : asterisk-11.8.1-1.fc19 (2014-3779)	Nessus	Fedora Local Security Checks	high
73141	Fedora 20 : asterisk-11.8.1-1.fc20 (2014-3762)	Nessus	Fedora Local Security Checks	high
73019	Asterisk main/http.c DoS (AST-2014-001)	Nessus	Misc.	high
72953	FreeBSD : asterisk -- multiple vulnerabilities (03159886-a8a3-11e3-8f36-0025905a4771)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2014-2286

critical

Tenable Plugins

high

high

high

high

high

high

high