[AsteriskBrasil] Fwd: [asterisk-dev] AST-2014-002: Denial of Service Through File Descriptor Exhaustion with chan_sip Session-Timers

Sylvio Jollenbeck sylvio.jollenbeck em gmail.com
Segunda Março 10 18:18:55 BRT 2014 

Mais um fix de segurança...

---------- Forwarded message ----------
From: Asterisk Security Team <security em asterisk.org>
Date: 2014-03-10 18:06 GMT-03:00
Subject: [asterisk-dev] AST-2014-002: Denial of Service Through File
Descriptor Exhaustion with chan_sip Session-Timers
To: asterisk-dev em lists.digium.com


               Asterisk Project Security Advisory - AST-2014-002

         Product        Asterisk
         Summary        Denial of Service Through File Descriptor Exhaustion
                        with chan_sip Session-Timers
    Nature of Advisory  Denial of Service
      Susceptibility    Remote Authenticated or Anonymous Sessions
         Severity       Moderate
      Exploits Known    No
       Reported On      2014/02/25
       Reported By      Corey Farrell
        Posted On       March 10, 2014
     Last Updated On    March 10, 2014
     Advisory Contact   Kinsey Moore <kmoore AT digium DOT com>
         CVE Name       CVE-2014-2287

    Description  An attacker can use all available file descriptors using
                 SIP INVITE requests.

                 Knowledge required to achieve the attack:

                 * Valid account credentials or anonymous dial in

                 * A valid extension that can be dialed from the SIP account

                 Trigger conditions:

                 * chan_sip configured with "session-timers" set to
                 "originate" or "accept"

                 ** The INVITE request must contain either a Session-Expires
                 or a Min-SE header with malformed values or values
                 disallowed by the system's configuration.

                 * chan_sip configured with "session-timers" set to "refuse"

                 ** The INVITE request must offer "timer" in the "Supported"
                 header

                 Asterisk will respond with code 400, 420, or 422 for
                 INVITEs meeting this criteria. Each INVITE meeting these
                 conditions will leak a channel and several file
                 descriptors. The file descriptors cannot be released
                 without restarting Asterisk which may allow intrusion
                 detection systems to be bypassed by sending the requests
                 slowly.

    Resolution  Upgrade to a version with the patch integrated or apply the
                appropriate patch.

                               Affected Versions
                 Product               Release Series
          Asterisk Open Source             1.8.x       All
          Asterisk Open Source              11.x       All
          Asterisk Open Source              12.x       All
           Certified Asterisk              1.8.15      All
           Certified Asterisk               11.6       All

                                  Corrected In
                     Product                              Release
            Asterisk Open Source 1.8.x                    1.8.26.1
            Asterisk Open Source 11.x                      11.8.1
            Asterisk Open Source 12.x                      12.1.1
            Certified Asterisk 1.8.15                   1.8.15-cert5
             Certified Asterisk 11.6                     11.6-cert2

                                      Patches
                                 SVN URL
Revision
   http://downloads.asterisk.org/pub/security/AST-2014-002-1.8.diff
 Asterisk
                                                                       1.8
   http://downloads.asterisk.org/pub/security/AST-2014-002-11.diff
Asterisk
                                                                       11
   http://downloads.asterisk.org/pub/security/AST-2014-002-12.diff
Asterisk
                                                                       12
   http://downloads.asterisk.org/pub/security/AST-2014-002-11.6.diff
Asterisk
                                                                       11.6

 Certified
   http://downloads.asterisk.org/pub/security/AST-2014-002-1.8.15.diffAsterisk

 1.8.15

 Certified

       Links     https://issues.asterisk.org/jira/browse/ASTERISK-23373

    Asterisk Project Security Advisories are posted at
    http://www.asterisk.org/security

    This document may be superseded by later versions; if so, the latest
    version will be posted at
    http://downloads.digium.com/pub/security/AST-2014-002.pdf and
    http://downloads.digium.com/pub/security/AST-2014-002.html

                                Revision History
        Date           Editor                    Revisions Made
    2014/03/04     Kinsey Moore     Document Creation
    2014/03/06     Kinsey Moore     Corrections and Wording Clarification
    2014/03/10     Kinsey Moore     Added missing patch links

               Asterisk Project Security Advisory - AST-2014-002
              Copyright (c) 2014 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in
its
                           original, unaltered form.


--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev



-- 
Sylvio Jollenbeck
www.hosannatecnologia.com.br
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: http://listas.asteriskbrasil.org/pipermail/asteriskbrasil/attachments/20140310/68fe61cc/attachment-0001.htm

Mais detalhes sobre a lista de discussão AsteriskBrasil