The PJSIP channel driver in Asterisk Open Source 12.x before 12.1.1, when qualify_frequency "is enabled on an AOR and the remote SIP server challenges for authentication of the resulting OPTIONS request," allows remote attackers to cause a denial of service (crash) via a PJSIP endpoint that does not have an associated outgoing request.

The remote host is affected by the vulnerability described in GLSA-201405-05 (Asterisk: Denial of Service)

    Multiple vulnerabilities have been discovered in Asterisk. Please review       the CVE identifiers and Asterisk Project Security Advisories referenced       below for details.
  Impact :

    A remote attacker could possibly cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

The Asterisk Development Team has announced security releases for Certified Asterisk 1.8.15, 11.6, and Asterisk 1.8, 11, and 12. The available security releases are released as versions 1.8.15-cert5, 11.6-cert2, 1.8.26.1, 11.8.1, and 12.1.1.

These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of these versions resolve the following issues :

  - AST-2014-001: Stack overflow in HTTP processing of     Cookie headers.

    Sending a HTTP request that is handled by Asterisk with     a large number of Cookie headers could overflow the     stack.

    Another vulnerability along similar lines is any HTTP     request with a ridiculous number of headers in the     request could exhaust system memory.

  - AST-2014-002: chan_sip: Exit early on bad session timers     request

    This change allows chan_sip to avoid creation of the     channel and consumption of associated file descriptors     altogether if the inbound request is going to be     rejected anyway.

Additionally, the release of 12.1.1 resolves the following issue :

  - AST-2014-003: res_pjsip: When handling 401/407 responses     don't assume a request will have an endpoint.

    This change removes the assumption that an outgoing     request will always have an endpoint and makes the     authenticate_qualify option work once again.

Finally, a security advisory, AST-2014-004, was released for a vulnerability fixed in Asterisk 12.1.0. Users of Asterisk 12.0.0 are encouraged to upgrade to 12.1.1 to resolve both vulnerabilities.

These issues and their resolutions are described in the security advisories.

For more information about the details of these vulnerabilities, please read security advisories AST-2014-001, AST-2014-002, AST-2014-003, and AST-2014-004, which were released at the same time as this announcement.

For a full list of changes in the current releases, please see the ChangeLogs :

http://downloads.asterisk.org/pub/telephony/certified-asterisk/release s/ChangeLog-1.8.15-cert5 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-1.8.26.1 http://downloads.asterisk.org/pub/telephony/certified-asterisk/release s/ChangeLog-11.6-cert2 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-11.8.1 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-12.1.1

The security advisories are available at :

  -     http://downloads.asterisk.org/pub/security/AST-2014-001.
    pdf

    -       http://downloads.asterisk.org/pub/security/AST-2014-00       2.pdf

    -       http://downloads.asterisk.org/pub/security/AST-2014-00       3.pdf

    -       http://downloads.asterisk.org/pub/security/AST-2014-00       4.pdf The Asterisk Development Team has announced the       release of Asterisk 11.8.0. This release is available       for immediate download at       http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 11.8.0 resolves several issues reported by the community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release :

Bugs fixed in this release :

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the version in its SIP banner, the version of Asterisk running on the remote host is potentially affected by a denial of service vulnerability. 

A flaw exists in the PJSIP channel driver when the 'quality_frequency' configuration is enabled on an AOR when the SIP server's challenges for authentication challenges of the 'OPTIONS' request.  A remote attacker could use a specially crafted request to crash the program. 

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Asterisk project reports :

Stack Overflow in HTTP Processing of Cookie Headers. Sending a HTTP request that is handled by Asterisk with a large number of Cookie headers could overflow the stack. You could even exhaust memory if you sent an unlimited number of headers in the request.

Denial of Service Through File Descriptor Exhaustion with chan_sip Session-Timers. An attacker can use all available file descriptors using SIP INVITE requests. Asterisk will respond with code 400, 420, or 422 for INVITEs meeting this criteria. Each INVITE meeting these conditions will leak a channel and several file descriptors. The file descriptors cannot be released without restarting Asterisk which may allow intrusion detection systems to be bypassed by sending the requests slowly.

Remote Crash Vulnerability in PJSIP channel driver. A remotely exploitable crash vulnerability exists in the PJSIP channel driver if the 'qualify_frequency' configuration option is enabled on an AOR and the remote SIP server challenges for authentication of the resulting OPTIONS request. The response handling code wrongly assumes that a PJSIP endpoint will always be associated with an outgoing request which is incorrect.

ID	Name	Product	Family	Severity
73861	GLSA-201405-05 : Asterisk: Denial of Service	Nessus	Gentoo Local Security Checks	high
73142	Fedora 19 : asterisk-11.8.1-1.fc19 (2014-3779)	Nessus	Fedora Local Security Checks	high
73141	Fedora 20 : asterisk-11.8.1-1.fc20 (2014-3762)	Nessus	Fedora Local Security Checks	high
73021	Asterisk PJSIP Channel Driver Options DoS (AST-2014-003)	Nessus	Misc.	medium
72953	FreeBSD : asterisk -- multiple vulnerabilities (03159886-a8a3-11e3-8f36-0025905a4771)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2014-2288

high

Tenable Plugins

high

high

high

medium

high