ckleea

Asterisk Project Security Advisory - AST-2012-005

         Product         Asterisk
         Summary         Heap Buffer Overflow in Skinny Channel Driver
    Nature of Advisory   Exploitable Heap Buffer Overflow
      Susceptibility     Remote Authenticated Sessions
         Severity        Minor
      Exploits Known     No
       Reported On       March 26, 2012
       Reported By       Russell Bryant
        Posted On        April 23, 2012
     Last Updated On     April 23, 2012
     Advisory Contact    Matt Jordan < mjordan AT digium DOT com >
         CVE Name

   Description  In the Skinny channel driver, KEYPAD_BUTTON_MESSAGE events
                are queued for processing in a buffer allocated on the
                heap, where each DTMF value that is received is placed on
                the end of the buffer. Since the length of the buffer is
                never checked, an attacker could send sufficient
                KEYPAD_BUTTON_MESSAGE events such that the buffer is
                overrun.

   Resolution  The length of the buffer is now checked before appending a
               value to the end of the buffer.

                              Affected Versions
               Product              Release Series
        Asterisk Open Source           1.6.2.x      All Versions
        Asterisk Open Source            1.8.x       All Versions
        Asterisk Open Source             10.x       All Versions

                                 Corrected In
               Product                              Release
         Asterisk Open Source              1.6.2.24, 1.8.11.1, 10.3.1

                                    Patches
                               SVN URL                               Revision
  http://downloads.asterisk.org/pu ... 2012-005-1.6.2.diff v1.6.2
  http://downloads.asterisk.org/pub/security/AST-2012-005-1.8.diff   v1.8
  http://downloads.asterisk.org/pub/security/AST-2012-005-10.diff    v10

      Links     https://issues.asterisk.org/jira/browse/ASTERISK-19592

   Asterisk Project Security Advisories are posted at
   http://www.asterisk.org/security

   This document may be superseded by later versions; if so, the latest
   version will be posted at
   http://downloads.digium.com/pub/security/AST-2012-005.pdf and
   http://downloads.digium.com/pub/security/AST-2012-005.html

                               Revision History
         Date                  Editor                 Revisions Made
   04/16/2012         Matt Jordan               Initial Release

              Asterisk Project Security Advisory - AST-2012-005
             Copyright (c) 2012 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
                          original, unaltered form.

ckleea

Asterisk Project Security Advisory - AST-2012-006

         Product         Asterisk
         Summary         Remote Crash Vulnerability in SIP Channel Driver
    Nature of Advisory   Remote Crash
      Susceptibility     Remote Authenticated Sessions
         Severity        Moderate
      Exploits Known     No
       Reported On       April 16, 2012
       Reported By       Thomas Arimont
        Posted On        April 23, 2012
     Last Updated On     April 23, 2012
     Advisory Contact    Matt Jordan < mjordan AT digium DOT com >
         CVE Name

   Description  A remotely exploitable crash vulnerability exists in the
                SIP channel driver if a SIP UPDATE request is processed
                within a particular window of time. For this to occur, the
                following must take place:

                1. The setting 'trustrpid' must be set to True

                2. An UPDATE request must be received after a call has been
                terminated and the associated channel object has been
                destroyed, but before the SIP dialog associated with the
                call has been destroyed. Receiving the UPDATE request
                before the call is terminated or after the SIP dialog
                associated with the call will not cause the crash
                vulnerability described here.

                3. The UPDATE request must be formatted with the
                appropriate headers to reflect an Asterisk connected line
                update. The information in the headers must reflect a
                different Caller ID then what was previously associated
                with the dialog.

                When these conditions are true, Asterisk will attempt to
                perform a connected line update with no associated channel,
                and will crash.

   Resolution  Asterisk now ensures a channel exists before performing a
               connected line update, when that connected line update is
               initiated via a SIP UPDATE request.

               In Asterisk versions not containing the fix for this issue,
               setting the 'trustrpid' setting to False will prevent this
               crash from occurring (default is False)

                              Affected Versions
                Product               Release Series
         Asterisk Open Source             1.8.x       All versions
         Asterisk Open Source              10.x       All versions
       Asterisk Business Edition          C.3.x       All versions

                                 Corrected In
                   Product                              Release
             Asterisk Open Source                   1.8.11.1, 10.3.1
          Asterisk Business Edition                     C.3.7.4

                                   Patches
                              SVN URL                              Revision
  http://downloads.asterisk.org/pub/security/AST-2012-006-1.8.diff v1.8
  http://downloads.asterisk.org/pub/security/AST-2012-006-10.diff  v.10

      Links     https://issues.asterisk.org/jira/browse/ASTERISK-19770

   Asterisk Project Security Advisories are posted at
   http://www.asterisk.org/security

   This document may be superseded by later versions; if so, the latest
   version will be posted at
   http://downloads.digium.com/pub/security/AST-2012-006.pdf and
   http://downloads.digium.com/pub/security/AST-2012-006.html

                               Revision History
         Date                 Editor                  Revisions Made
   04/16/2012         Matt Jordan              Initial release.

              Asterisk Project Security Advisory - AST-2012-006
             Copyright (c) 2012 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
                          original, unaltered form

bubblestar

It seems DAHDI Complete 2.6.1+2.6.1 Source Tarball has been released as well.

http://downloads.asterisk.org/pu ... -2.6.1+2.6.1.tar.gz

svn co http://svn.asterisk.org/svn/dahdi/linux-complete/tags/2.6.1+2.6.1 dahdi-2.6.1+2.6.1

ckleea

The Asterisk Development Team has announced the release of Asterisk 1.8.12.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 1.8.12.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

* --- Prevent chanspy from binding to zombie channels
(Closes issue ASTERISK-19493. Reported by lvl)

* --- Fix Dial m and r options and forked calls generating warnings
     for voice frames.
(Closes issue ASTERISK-16901. Reported by Chris Gentle)

* --- Remove ISDN hold restriction for non-bridged calls.
(Closes issue ASTERISK-19388. Reported by Birger Harzenetter)

* --- Fix copying of CDR(accountcode) to local channels.
(Closes issue ASTERISK-19384. Reported by jamicque)

* --- Ensure Asterisk acknowledges ACKs to 4xx on Replaces errors
(Closes issue ASTERISK-19303. Reported by Jon Tsiros)

* --- Eliminate double close of file descriptor in manager.c
(Closes issue ASTERISK-18453. Reported by Jaco Kroon)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pu ... /ChangeLog-1.8.12.0

Thank you for your continued support of Asterisk!

ckleea

The Asterisk Development Team has announced the release of Asterisk 10.4.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 10.4.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

* --- Prevent chanspy from binding to zombie channels
(Closes issue ASTERISK-19493. Reported by lvl)

* --- Fix Dial m and r options and forked calls generating warnings
     for voice frames.
(Closes issue ASTERISK-16901. Reported by Chris Gentle)

* --- Remove ISDN hold restriction for non-bridged calls.
(Closes issue ASTERISK-19388. Reported by Birger Harzenetter)

* --- Fix copying of CDR(accountcode) to local channels.
(Closes issue ASTERISK-19384. Reported by jamicque)

* --- Ensure Asterisk acknowledges ACKs to 4xx on Replaces errors
(Closes issue ASTERISK-19303. Reported by Jon Tsiros)

* --- Eliminate double close of file descriptor in manager.c
(Closes issue ASTERISK-18453. Reported by Jaco Kroon)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pu ... sk/ChangeLog-10.4.0

Thank you for your continued support of Asterisk!

ckleea

The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases are
released as versions 1.8.11-cert2, 1.8.12.1, and 10.4.1.

These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of Asterisk 1.8.11-cert2, 1.8.12.1, and 10.4.1 resolve the following
two issues:

* A remotely exploitable crash vulnerability exists in the IAX2 channel
driver if an established call is placed on hold without a suggested music
class. Asterisk will attempt to use an invalid pointer to the music
on hold class name, potentially causing a crash.

* A remotely exploitable crash vulnerability was found in the Skinny (SCCP)
Channel driver. When an SCCP client closes its connection to the server,
a pointer in a structure is set to NULL.  If the client was not in the
on-hook state at the time the connection was closed, this pointer is later
dereferenced. This allows remote authenticated connections the ability to
cause a crash in the server, denying services to legitimate users.

These issues and their resolution are described in the security advisories.

For more information about the details of these vulnerabilities, please read
security advisories AST-2012-007 and AST-2012-008, which were released at the
same time as this announcement.

For a full list of changes in the current releases, please see the ChangeLogs:

http://downloads.asterisk.org/pu ... ngeLog-1.8.11-cert2
http://downloads.asterisk.org/pu ... /ChangeLog-1.8.12.1
http://downloads.asterisk.org/pu ... es/ChangeLog-10.4.1

The security advisories are available at:

* http://downloads.asterisk.org/pub/security/AST-2012-007.pdf
* http://downloads.asterisk.org/pub/security/AST-2012-008.pdf

Thank you for your continued support of Asterisk!

ckleea

Asterisk Project Security Advisory - AST-2012-007

         Product        Asterisk
         Summary        Remote crash vulnerability in IAX2 channel driver.
   Nature of Advisory   Remote crash
     Susceptibility     Established calls
        Severity        Moderate
     Exploits Known     No
       Reported On      March 21, 2012
       Reported By      mgrobecker
        Posted On       May 29, 2012
     Last Updated On    May 29, 2012
    Advisory Contact    Richard Mudgett < rmudgett AT digium DOT com >
        CVE Name        CVE-2012-2947

   Description  A remotely exploitable crash vulnerability exists in the
                IAX2 channel driver if an established call is placed on
                hold without a suggested music class. For this to occur,
                the following must take place:

                1. The setting mohinterpret=passthrough must be set on the
                end placing the call on hold.

                2. A call must be established.

                3. The call is placed on hold without a suggested
                music-on-hold class name.

                When these conditions are true, Asterisk will attempt to
                use an invalid pointer to a music-on-hold class name. Use
                of the invalid pointer will either cause a crash or the
                music-on-hold class name will be garbage.

   Resolution  Asterisk now sets the extra data parameter to null if the
               received control frame does not have any extra data.

                              Affected Versions
               Product              Release Series
         Certified Asterisk          1.8.11-cert    All versions
        Asterisk Open Source            1.8.x       All versions
        Asterisk Open Source             10.x       All versions

                                 Corrected In
                  Product                              Release
            Certified Asterisk                      1.8.11-cert2
           Asterisk Open Source                   1.8.12.1, 10.4.1

                                      Patches
                               SVN URL                                    Revision
http://downloads.asterisk.org/pu ... 07-1.8.11-cert.diff v1.8.11-cert
http://downloads.asterisk.org/pub/security/AST-2012-007-1.8.diff         v1.8
http://downloads.asterisk.org/pub/security/AST-2012-007-10.diff          v10

      Links     https://issues.asterisk.org/jira/browse/ASTERISK-19597

   Asterisk Project Security Advisories are posted at
   http://www.asterisk.org/security

   This document may be superseded by later versions; if so, the latest
   version will be posted at
   http://downloads.digium.com/pub/security/AST-2012-007.pdf and
   http://downloads.digium.com/pub/security/AST-2012-007.html

                               Revision History
         Date                  Editor                 Revisions Made
   05/29/2012         Richard Mudgett           Initial release.

              Asterisk Project Security Advisory - AST-2012-007
             Copyright (c) 2012 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
                          original, unaltered form.

ckleea

Asterisk Project Security Advisory - AST-2012-008

         Product         Asterisk
         Summary         Skinny Channel Driver Remote Crash Vulnerability
    Nature of Advisory   Denial of Service
      Susceptibility     Remote authenticated sessions
         Severity        Minor
      Exploits Known     No
       Reported On       May 22, 2012
       Reported By       Christoph Hebeisen
        Posted On        May 29, 2012
     Last Updated On     May 29, 2012
     Advisory Contact    Matt Jordan < mjordan AT digium DOT com >
         CVE Name        CVE-2012-2948

   Description  As reported by Telus Labs:

                "A Null-pointer dereference has been identified in the SCCP
                (Skinny) channel driver of Asterisk. When an SCCP client
                closes its connection to the server, a pointer in a
                structure is set to Null. If the client was not in the
                on-hook state at the time the connection was closed, this
                pointer is later dereferenced.

                A remote attacker with a valid SCCP ID can can use this
                vulnerability by closing a connection to the Asterisk
                server in certain call states (e.g. "Off hook") to crash
                the server. Successful exploitation of this vulnerability
                would result in termination of the server, causing denial
                of service to legitimate users."

   Resolution  The pointer to the device in the structure is now checked
               before it is dereferenced in the channel event callbacks and
               message handling functions.

                              Affected Versions
               Product              Release Series
        Asterisk Open Source            1.8.x       All Versions
        Asterisk Open Source             10.x       All Versions
         Certified Asterisk          1.8.11-cert    1.8.11-cert1

                                 Corrected In
                  Product                              Release
           Asterisk Open Source                   1.8.12.1, 10.4.1
            Certified Asterisk                      1.8.11-cert2

                                      Patches
                               SVN URL                                    Revision
http://downloads.asterisk.org/pub/security/AST-2012-008-1.8.diff         v1.8
http://downloads.asterisk.org/pub/security/AST-2012-008-10.diff          v10
http://downloads.asterisk.org/pu ... 08-1.8.11-cert.diff v1.8.11-cert

      Links     https://issues.asterisk.org/jira/browse/ASTERISK-19905

   Asterisk Project Security Advisories are posted at
   http://www.asterisk.org/security

   This document may be superseded by later versions; if so, the latest
   version will be posted at
   http://downloads.digium.com/pub/security/AST-2012-008.pdf and
   http://downloads.digium.com/pub/security/AST-2012-008.html

                               Revision History
         Date                  Editor                 Revisions Made
   05/25/2012         Matt Jordan               Initial Release

              Asterisk Project Security Advisory - AST-2012-008
             Copyright (c) 2012 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
                          original, unaltered form.

ckleea

The Asterisk Development Team has announced the release of Asterisk 1.8.12.2.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 1.8.12.2 resolves an issue reported by the
community and would have not been possible without your participation.
Thank you!

The following is the issue resolved in this release:

* --- Resolve crash in subscribing for MWI notifications
(Closes issue ASTERISK-19827. Reported by B. R)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pu ... /ChangeLog-1.8.12.2

Thank you for your continued support of Asterisk!

ckleea

The Asterisk Development Team has announced the release of Asterisk 10.4.2.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 10.4.2 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

* --- Resolve crash in subscribing for MWI notifications
(Closes issue ASTERISK-19827. Reported by B. R)

* --- Fix crash in ConfBridge when user announcement is played for
     more than 2 users
(Closes issue ASTERISK-19899. Reported by Florian Gilcher)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pu ... sk/ChangeLog-10.4.2

Thank you for your continued support of Asterisk!

ckleea

The Asterisk Development Team has announced the release of Asterisk 1.8.13.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 1.8.13.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following is a sample of the issues resolved in this release:

* --- Turn off warning message when bind address is set to any.
(Closes issue ASTERISK-19456. Reported by Michael L. Young)

* --- Prevent overflow in calculation in ast_tvdiff_ms on 32-bit
     machines
(Closes issue ASTERISK-19727. Reported by Ben Klang)

* --- Make DAHDISendCallreroutingFacility wait 5 seconds for a reply
     before disconnecting the call.
(Closes issue ASTERISK-19708. Reported by mehdi Shirazi)

* --- Fix recalled party B feature flags for a failed DTMF atxfer.
(Closes issue ASTERISK-19383. Reported by lgfsantos)

* --- Fix DTMF atxfer running h exten after the wrong bridge ends.
(Closes issue ASTERISK-19717. Reported by Mario)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pu ... /ChangeLog-1.8.13.0

Thank you for your continued support of Asterisk!

ckleea

The Asterisk Development Team has announced the release of Asterisk 10.5.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 10.5.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following is a sample of the issues resolved in this release:

* --- Turn off warning message when bind address is set to any.
(Closes issue ASTERISK-19456. Reported by Michael L. Young)

* --- Prevent overflow in calculation in ast_tvdiff_ms on 32-bit
     machines
(Closes issue ASTERISK-19727. Reported by Ben Klang)

* --- Make DAHDISendCallreroutingFacility wait 5 seconds for a reply
     before disconnecting the call.
(Closes issue ASTERISK-19708. Reported by mehdi Shirazi)

* --- Fix recalled party B feature flags for a failed DTMF atxfer.
(Closes issue ASTERISK-19383. Reported by lgfsantos)

* --- Fix DTMF atxfer running h exten after the wrong bridge ends.
(Closes issue ASTERISK-19717. Reported by Mario)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pu ... sk/ChangeLog-10.5.0

Thank you for your continued support of Asterisk!

ckleea

The Asterisk Development Team has announced a security release for Asterisk 10.
This security release is released as version 10.5.1.

The release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of Asterisk 10.5.1 resolves the following issue:

* A remotely exploitable crash vulnerability was found in the Skinny (SCCP)
Channel driver. When an SCCP client sends an Off Hook message, followed by
a Key Pad Button Message, a structure that was previously set to NULL is
dereferenced.  This allows remote authenticated connections the ability to
cause a crash in the server, denying services to legitimate users.

This issue and its resolution is described in the security advisory.

For more information about the details of this vulnerability, please read
security advisory AST-2012-009, which was released at the same time as this
announcement.

For a full list of changes in the current releases, please see the ChangeLog:

http://downloads.asterisk.org/pu ... es/ChangeLog-10.5.1

The security advisory is available at:

* http://downloads.asterisk.org/pub/security/AST-2012-009.pdf

Thank you for your continued support of Asterisk!

ckleea

Asterisk Project Security Advisory - AST-2012-009

         Product         Asterisk
         Summary         Skinny Channel Driver Remote Crash Vulnerability
    Nature of Advisory   Denial of Service
      Susceptibility     Remote authenticated sessions
         Severity        Minor
      Exploits Known     No
       Reported On       May 30, 2012
       Reported By       Christoph Hebeisen, TELUS Security Labs
        Posted On        June 14, 2012
     Last Updated On     June 14, 2012
     Advisory Contact    Matt Jordan < mjordan AT digium DOT com >
         CVE Name        CVE-2012-3553

   Description  AST-2012-008 previously dealt with a denial of service
                attack exploitable in the Skinny channel driver that
                occurred when certain messages are sent after a previously
                registered station sends an Off Hook message. Unresolved in
                that patch is an issue in the Asterisk 10 releases,
                wherein, if a Station Key Pad Button Message is processed
                after an Off Hook message, the channel driver will
                inappropriately dereference a Null pointer.

                Similar to AST-2012-008, a remote attacker with a valid
                SCCP ID can can use this vulnerability by closing a
                connection to the Asterisk server when a station is in the
                "Off Hook" call state and crash the server.

   Resolution  The presence of a device for a line is now checked in the
               appropriate channel callbacks, preventing the crash.

                              Affected Versions
               Product              Release Series
        Asterisk Open Source             10.x       All Versions

                                 Corrected In
                    Product                              Release
              Asterisk Open Source                        10.5.1

                                   Patches
                              SVN URL                              Revision
  http://downloads.asterisk.org/pub/security/AST-2012-009-10.diff v10

      Links     https://issues.asterisk.org/jira/browse/ASTERISK-19905

   Asterisk Project Security Advisories are posted at
   http://www.asterisk.org/security

   This document may be superseded by later versions; if so, the latest
   version will be posted at
   http://downloads.digium.com/pub/security/AST-2012-009.pdf and
   http://downloads.digium.com/pub/security/AST-2012-009.html

                               Revision History
         Date                  Editor                 Revisions Made
   06/14/2012         Matt Jordan               Initial Release

              Asterisk Project Security Advisory - AST-2012-009
             Copyright (c) 2012 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
                          original, unaltered form.

ckleea

The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases are
released as versions 1.8.11-cert4, 1.8.13.1, 10.5.2, and 10.5.2-digiumphones.

These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of Asterisk 1.8.11-cert4, 1.8.13.1, 10.5.2, and 10.5.2-digiumphones
resolve the following two issues:

* If Asterisk sends a re-invite and an endpoint responds to the re-invite with
  a provisional response but never sends a final response, then the SIP dialog
  structure is never freed and the RTP ports for the call are never released. If
  an attacker has the ability to place a call, they could create a denial of
  service by using all available RTP ports.

* If a single voicemail account is manipulated by two parties simultaneously,
  a condition can occur where memory is freed twice causing a crash.

These issues and their resolution are described in the security advisories.

For more information about the details of these vulnerabilities, please read
security advisories AST-2012-010 and AST-2012-011, which were released at the
same time as this announcement.

For a full list of changes in the current releases, please see the ChangeLogs:

http://downloads.asterisk.org/pu ... ngeLog-1.8.11-cert4
http://downloads.asterisk.org/pu ... /ChangeLog-1.8.13.1
http://downloads.asterisk.org/pu ... es/ChangeLog-10.5.2
http://downloads.asterisk.org/pu ... 10.5.2-digiumphones

The security advisories are available at:

* http://downloads.asterisk.org/pub/security/AST-2012-010.pdf
* http://downloads.asterisk.org/pub/security/AST-2012-011.pdf

Thank you for your continued support of Asterisk!