Asterisk 13.13 < 13.13-cert4 / 13.x < 13.15.1 / 14.x < 14.4.1 Multiple Vulnerabilities (AST-2017-002 - AST-2017-004)
High Nessus Plugin ID 100386
SynopsisA telephony application running on the remote host is affected by multiple vulnerabilities.
DescriptionAccording to its SIP banner, the version of Asterisk running on the remote host is 13.13 prior to 13.13-cert4, 13.x prior to 13.15.1, or 14.x prior to 14.4.1. Is it, therefore, affected by multiple vulnerabilities :
- An out-of-bounds read error exists in the multi-part body parser in PJSIP due to reading memory outside the allowed boundaries. An unauthenticated, remote attacker can exploit this, via specially crafted packets, to trigger an invalid read, resulting in a denial of service condition. (VulnDB 157966)
- A denial of service vulnerability exists in 'partial data' message logging when handling SCCP packets that have 'chan_skinny' enabled and that are larger than the length of the SCCP header but smaller than the packet length specified in the header. The loop that reads the rest of the packet fails to detect that the call to read() returned end-of-file before the expected number of bytes and therefore continues indefinitely. An unauthenticated, remote attacker can exploit this issue, via specially crafted packets, to exhaust all available memory. (VulnDB 157967)
- A denial of service vulnerability exists in the PJSIP RFC 2543 transaction key generation algorithm due to a failure to allocate a sufficiently large buffer when handling a SIP packet with a specially crafted CSeq header and a Via header with no branch parameter.
An unauthenticated, remote attacker can exploit this, via specially crafted packets, to overflow the buffer, resulting in memory corruption and an eventual crash.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
SolutionUpgrade to Asterisk version 13.13-cert4 / 13.15.1 / 14.4.1 or later.