First Last Prev Next    This bug is not in your last search results.
Bug 40975 - asterisk: Multiple issues (4.1)
asterisk: Multiple issues (4.1)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.1
Other Linux
: P3 normal (vote)
: UCS 4.1-4-errata
Assigned To: Arvid Requate
Felix Botner
:
Depends on: 45365
Blocks:
  Show dependency treegraph
 
Reported: 2016-04-04 12:44 CEST by Arvid Requate
Modified: 2017-11-08 16:06 CET (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2016-04-04 12:44:20 CEST 
* Mitigation for libcURL HTTP request injection vulnerability (AST-2015-002)
  (related to CVE-2014-8150)
Comment 1 Arvid Requate univentionstaff 2016-05-04 19:56:51 CEST 
Upstream Debian package version 1:1.8.13.1~dfsg1-3+deb7u4 fixes the following issues:

* Stack Overflow in HTTP Processing of Cookie Headers (CVE-2014-2286)
* Asterisk Manager User Unauthorized Shell Access (CVE-2014-4046)
* Remote crash when handling out of call message in certain dialplan configurations (CVE-2014-6610)
* Mixed IP address families in access control lists may permit unwanted traffic (CVE-2014-8412)
* AMI permission escalation through DB dialplan function (CVE-2014-8418)
* when registering a SIP TLS device, asterisk does not properly handle a null byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority (CVE-2015-3008)
Comment 2 Arvid Requate univentionstaff 2017-01-21 18:32:57 CET 
Upstream Debian package version 1:1.8.13.1~dfsg1-3+deb7u5 fixes these additional issues:

* channels/chan_sip.c in Asterisk when chan_sip has a certain configuration, allows remote authenticated users to cause a denial of service (channel and file descriptor consumption) via an INVITE request with a (1) Session-Expires or (2) Min-SE header with a malformed or invalid value (CVE-2014-2287)

* The overlap dialing feature in chan_sip allows chan_sip to report to a device that the number that has been dialed is incomplete and more digits are required. If this functionality is used with a device that has performed username/password authentication RTP resources are leaked. This occurs because the code fails to release the old RTP resources before allocating new ones in this scenario. If all resources are used then RTP port exhaustion will occur and no RTP sessions are able to be set up (CVE-2016-7551)
Comment 3 Arvid Requate univentionstaff 2017-01-30 20:19:55 CET 
1:1.8.13.1~dfsg1-3+deb7u6 fixes a regression in +deb7u5
Comment 4 Arvid Requate univentionstaff 2017-10-30 18:39:49 CET 
1:1.8.13.1~dfsg1-3+deb7u7 fixes:

* Unauthorized command execution is possible. The app_minivm module has an "externnotify" program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from an untrusted source, a crafted caller-id name or number allows an arbitrary shell command injection (CVE-2017-14100)
Comment 5 Arvid Requate univentionstaff 2017-10-30 18:55:27 CET 
UCS 4.1 shipped version 1:11.13.1~dfsg-2~bpo70+1 of asterisk. So we gotta track the jessie (deb8) updates and possibly backport patches:



Upstream Debian package version 1:11.13.1~dfsg-2+deb8u1 fixes:

  * AST-2016-007: Fix RTP Resource Exhaustion (CVE-2016-7551) (Closes: #838832)
  * AST-2015-003: Fix TLS Certificate Common name NULL byte exploit (CVE-2015-3008)
    (Closes: #782411)
  * AST-2016-003: Fix crash in UDPTL (CVE-2016-2232)
  * AST-2016-002: File descriptor exhaustion in chan_sip (CVE-2016-2316)
  * AST-2016-001: BEAST vulnerability in HTTP server (CVE-2011-3389)

Upstream Debian package version 1:11.13.1~dfsg-2+deb8u2 fixes:

  * AST-2016-009: non-printable ASCII chars treated as whitespace (CVE-2016-9938)
    (Closes: #847668)

Upstream Debian package version 1:11.13.1~dfsg-2+deb8u3 fixes:

* In res/res_rtp_asterisk.c unauthorized data disclosure (media takeover in the RTP stack) is possible with careful timing by an attacker. The "strictrtp" option in rtp.conf enables a feature of the RTP stack that learns the source address of media for a session and drops any packets that do not originate from the expected address. This option is enabled by default in Asterisk 11 and above. The "nat" and "rtp_symmetric" options (for chan_sip and chan_pjsip, respectively) enable symmetric RTP support in the RTP stack. This uses the source address of incoming media as the target address of any sent media. This option is not enabled by default, but is commonly enabled to handle devices behind NAT. A change was made to the strict RTP support in the RTP stack to better tolerate late media when a reinvite occurs. When combined with the symmetric RTP support, this introduced an avenue where media could be hijacked. Instead of only learning a new address when expected, the new code allowed a new source address to be learned at all times. If a flood of RTP traffic was received, the strict RTP support would allow the new address to provide media, and (with symmetric RTP enabled) outgoing traffic would be sent to this new address, allowing the media to be hijacked. Provided the attacker continued to send traffic, they would continue to receive traffic as well. (CVE-2017-14099)

* unauthorized command execution is possible. The app_minivm module has an "externnotify" program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from an untrusted source, a crafted caller-id name or number allows an arbitrary shell command injection. (CVE-2017-14100)


Upstream Debian package version 1:11.13.1~dfsg-2+deb8u4 fixes:

* insufficient RTCP packet validation could allow reading stale buffer contents and when combined with the "nat" and "symmetric_rtp" options allow redirecting where Asterisk sends the next RTCP report (CVE-2017-14603)
Comment 6 Arvid Requate univentionstaff 2017-11-01 15:21:56 CET 
I've cherrypicked the package from UCS 4.1-0 to errata4.1-4 and extracted the new debian/patches from 1:11.13.1~dfsg-2+deb8u4 to svn/patches. Package rebuilt was successfull.

Advisory: asterisk.yaml
Comment 7 Felix Botner univentionstaff 2017-11-01 17:02:00 CET 
OK - patches
OK - asterisk installation
OK - YAML

hint: unmaintained is required for the asterisk installation (already before this update)
Comment 8 Arvid Requate univentionstaff 2017-11-08 15:11:20 CET 
This warning came when publishing the Errata:

E: These old packages need to be updated in the appcenter:
asterisk4ucs_20150310: asterisk-config 1:1.8.13.1~dfsg1-3.14.201403131157
asterisk4ucs_20150310: asterisk-voicemail 1:1.8.13.1~dfsg1-3.14.201403131157
asterisk4ucs_20150310: asterisk-modules 1:1.8.13.1~dfsg1-3.14.201403131157
asterisk4ucs_20150310: asterisk 1:1.8.13.1~dfsg1-3.14.201403131157

I guess that's ok.
Comment 9 Arvid Requate univentionstaff 2017-11-08 16:06:43 CET 
<http://errata.software-univention.de/ucs/4.1/480.html>
First Last Prev Next    This bug is not in your last search results.