<div dir="ltr"><br><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Asterisk Security Team</b> <span dir="ltr"><<a href="mailto:security@asterisk.org">security@asterisk.org</a>></span><br>
Date: 2013/1/2<br>Subject: [asterisk-dev] AST-2012-015: Denial of Service Through Exploitation of Device State Caching<br>To: <a href="mailto:asterisk-dev@lists.digium.com">asterisk-dev@lists.digium.com</a><br><br><br> Asterisk Project Security Advisory - AST-2012-015<br>
<br>
Product Asterisk<br>
Summary Denial of Service Through Exploitation of Device<br>
State Caching<br>
Nature of Advisory Denial of Service<br>
Susceptibility Remote Unauthenticated Sessions<br>
Severity Critical<br>
Exploits Known None<br>
Reported On 26 July, 2012<br>
Reported By Russell Bryant<br>
Posted On 2 January, 2013<br>
Last Updated On January 2, 2013<br>
Advisory Contact Matt Jordan <mjordan AT digium DOT com><br>
CVE Name CVE-2012-5977<br>
<br>
Description Asterisk maintains an internal cache for devices. The<br>
device state cache holds the state of each device known to<br>
Asterisk, such that consumers of device state information<br>
can query for the last known state for a particular device,<br>
even if it is not part of an active call. The concept of a<br>
device in Asterisk can include things that do not have a<br>
physical representation. One way that this currently occurs<br>
is when anonymous calls are allowed in Asterisk. A device<br>
is automatically created and stored in the cache for each<br>
anonymous call that occurs; this is possible in the SIP and<br>
IAX2 channel drivers and through channel drivers that<br>
utilize the res_jabber/res_xmpp resource modules (Gtalk,<br>
Jingle, and Motif). Attackers exploiting this vulnerability<br>
can attack an Asterisk system configured to allow anonymous<br>
calls by varying the source of the anonymous call,<br>
continually adding devices to the device state cache and<br>
consuming a system's resources.<br>
<br>
Resolution Channels that are not associated with a physical device are<br>
no longer stored in the device state cache. This affects<br>
Local, DAHDI, SIP and IAX2 channels, and any channel drivers<br>
built on the res_jabber/res_xmpp resource modules (Gtalk,<br>
Jingle, and Motif).<br>
<br>
Affected Versions<br>
Product Release Series<br>
Asterisk Open Source 1.8.x All Versions<br>
Asterisk Open Source 10.x All Versions<br>
Asterisk Open Source 11.x All Versions<br>
Certified Asterisk 1.8.11 All Versions<br>
Asterisk Digiumphones 10.x-digiumphones All Versions<br>
<br>
Corrected In<br>
Product Release<br>
Asterisk Open Source 1.8.19.1, 10.11.1, 11.1.1<br>
Certified Asterisk 1.8.11-cert10<br>
Asterisk Digiumphones 10.11.1-digiumphones<br>
<br>
Patches<br>
SVN URL Revision<br>
<a href="http://downloads.asterisk.org/pub/security/AST-2012-015-1.8.diff" target="_blank">http://downloads.asterisk.org/pub/security/AST-2012-015-1.8.diff</a> Asterisk<br>
1.8<br>
<a href="http://downloads.asterisk.org/pub/security/AST-2012-015-10.diff" target="_blank">http://downloads.asterisk.org/pub/security/AST-2012-015-10.diff</a> Asterisk<br>
10<br>
<a href="http://downloads.asterisk.org/pub/security/AST-2012-015-11.diff" target="_blank">http://downloads.asterisk.org/pub/security/AST-2012-015-11.diff</a> Asterisk<br>
11<br>
<br>
Links <a href="https://issues.asterisk.org/jira/browse/ASTERISK-20175" target="_blank">https://issues.asterisk.org/jira/browse/ASTERISK-20175</a><br>
<br>
Asterisk Project Security Advisories are posted at<br>
<a href="http://www.asterisk.org/security" target="_blank">http://www.asterisk.org/security</a><br>
<br>
This document may be superseded by later versions; if so, the latest<br>
version will be posted at<br>
<a href="http://downloads.digium.com/pub/security/AST-2012-015.pdf" target="_blank">http://downloads.digium.com/pub/security/AST-2012-015.pdf</a> and<br>
<a href="http://downloads.digium.com/pub/security/AST-2012-015.html" target="_blank">http://downloads.digium.com/pub/security/AST-2012-015.html</a><br>
<br>
Revision History<br>
Date Editor Revisions Made<br>
19 November 2012 Matt Jordan Initial Draft<br>
<br>
Asterisk Project Security Advisory - AST-2012-015<br>
Copyright (c) 2012 Digium, Inc. All Rights Reserved.<br>
Permission is hereby granted to distribute and publish this advisory in its<br>
original, unaltered form.<br>
<br>
<br>
--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
<br>
asterisk-dev mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-dev" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-dev</a><br>
</div><br><br clear="all"><br>-- <br><span style="font-family:trebuchet ms,sans-serif">Sylvio Jollenbeck<br><font size="1"><a href="http://www.hosannatecnologia.com.br/" target="_blank">www.hosannatecnologia.com.br</a></font></span><br>
<img src="http://www.hosannatecnologia.com.br/pixel.fw.png"><br>
</div>