<div dir="ltr">Mais um fix de segurança...<br><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Asterisk Security Team</b> <span dir="ltr"><<a href="mailto:security@asterisk.org">security@asterisk.org</a>></span><br>
Date: 2014-03-10 18:06 GMT-03:00<br>Subject: [asterisk-dev] AST-2014-002: Denial of Service Through File Descriptor Exhaustion with chan_sip Session-Timers<br>To: <a href="mailto:asterisk-dev@lists.digium.com">asterisk-dev@lists.digium.com</a><br>
<br><br> Asterisk Project Security Advisory - AST-2014-002<br>
<br>
Product Asterisk<br>
Summary Denial of Service Through File Descriptor Exhaustion<br>
with chan_sip Session-Timers<br>
Nature of Advisory Denial of Service<br>
Susceptibility Remote Authenticated or Anonymous Sessions<br>
Severity Moderate<br>
Exploits Known No<br>
Reported On 2014/02/25<br>
Reported By Corey Farrell<br>
Posted On March 10, 2014<br>
Last Updated On March 10, 2014<br>
Advisory Contact Kinsey Moore <kmoore AT digium DOT com><br>
CVE Name CVE-2014-2287<br>
<br>
Description An attacker can use all available file descriptors using<br>
SIP INVITE requests.<br>
<br>
Knowledge required to achieve the attack:<br>
<br>
* Valid account credentials or anonymous dial in<br>
<br>
* A valid extension that can be dialed from the SIP account<br>
<br>
Trigger conditions:<br>
<br>
* chan_sip configured with "session-timers" set to<br>
"originate" or "accept"<br>
<br>
** The INVITE request must contain either a Session-Expires<br>
or a Min-SE header with malformed values or values<br>
disallowed by the system's configuration.<br>
<br>
* chan_sip configured with "session-timers" set to "refuse"<br>
<br>
** The INVITE request must offer "timer" in the "Supported"<br>
header<br>
<br>
Asterisk will respond with code 400, 420, or 422 for<br>
INVITEs meeting this criteria. Each INVITE meeting these<br>
conditions will leak a channel and several file<br>
descriptors. The file descriptors cannot be released<br>
without restarting Asterisk which may allow intrusion<br>
detection systems to be bypassed by sending the requests<br>
slowly.<br>
<br>
Resolution Upgrade to a version with the patch integrated or apply the<br>
appropriate patch.<br>
<br>
Affected Versions<br>
Product Release Series<br>
Asterisk Open Source 1.8.x All<br>
Asterisk Open Source 11.x All<br>
Asterisk Open Source 12.x All<br>
Certified Asterisk 1.8.15 All<br>
Certified Asterisk 11.6 All<br>
<br>
Corrected In<br>
Product Release<br>
Asterisk Open Source 1.8.x 1.8.26.1<br>
Asterisk Open Source 11.x 11.8.1<br>
Asterisk Open Source 12.x 12.1.1<br>
Certified Asterisk 1.8.15 1.8.15-cert5<br>
Certified Asterisk 11.6 11.6-cert2<br>
<br>
Patches<br>
SVN URL Revision<br>
<a href="http://downloads.asterisk.org/pub/security/AST-2014-002-1.8.diff" target="_blank">http://downloads.asterisk.org/pub/security/AST-2014-002-1.8.diff</a> Asterisk<br>
1.8<br>
<a href="http://downloads.asterisk.org/pub/security/AST-2014-002-11.diff" target="_blank">http://downloads.asterisk.org/pub/security/AST-2014-002-11.diff</a> Asterisk<br>
11<br>
<a href="http://downloads.asterisk.org/pub/security/AST-2014-002-12.diff" target="_blank">http://downloads.asterisk.org/pub/security/AST-2014-002-12.diff</a> Asterisk<br>
12<br>
<a href="http://downloads.asterisk.org/pub/security/AST-2014-002-11.6.diff" target="_blank">http://downloads.asterisk.org/pub/security/AST-2014-002-11.6.diff</a> Asterisk<br>
11.6<br>
Certified<br>
<a href="http://downloads.asterisk.org/pub/security/AST-2014-002-1.8.15.diff" target="_blank">http://downloads.asterisk.org/pub/security/AST-2014-002-1.8.15.diff</a> Asterisk<br>
1.8.15<br>
Certified<br>
<br>
Links <a href="https://issues.asterisk.org/jira/browse/ASTERISK-23373" target="_blank">https://issues.asterisk.org/jira/browse/ASTERISK-23373</a><br>
<br>
Asterisk Project Security Advisories are posted at<br>
<a href="http://www.asterisk.org/security" target="_blank">http://www.asterisk.org/security</a><br>
<br>
This document may be superseded by later versions; if so, the latest<br>
version will be posted at<br>
<a href="http://downloads.digium.com/pub/security/AST-2014-002.pdf" target="_blank">http://downloads.digium.com/pub/security/AST-2014-002.pdf</a> and<br>
<a href="http://downloads.digium.com/pub/security/AST-2014-002.html" target="_blank">http://downloads.digium.com/pub/security/AST-2014-002.html</a><br>
<br>
Revision History<br>
Date Editor Revisions Made<br>
2014/03/04 Kinsey Moore Document Creation<br>
2014/03/06 Kinsey Moore Corrections and Wording Clarification<br>
2014/03/10 Kinsey Moore Added missing patch links<br>
<br>
Asterisk Project Security Advisory - AST-2014-002<br>
Copyright (c) 2014 Digium, Inc. All Rights Reserved.<br>
Permission is hereby granted to distribute and publish this advisory in its<br>
original, unaltered form.<br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
<br>
asterisk-dev mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-dev" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-dev</a><br>
</font></span></div><br><br clear="all"><div><br></div>-- <br><span style="font-family:trebuchet ms,sans-serif">Sylvio Jollenbeck<br><font size="1"><a href="http://www.hosannatecnologia.com.br/" target="_blank">www.hosannatecnologia.com.br</a></font></span><br>
<img src="http://www.hosannatecnologia.com.br/pixel.fw.png"><br>
</div>