Univention Bugzilla – Bug 40975
asterisk: Multiple issues (4.1)
Last modified: 2017-11-08 16:06:43 CET
* Mitigation for libcURL HTTP request injection vulnerability (AST-2015-002) (related to CVE-2014-8150)
Upstream Debian package version 1:1.8.13.1~dfsg1-3+deb7u4 fixes the following issues: * Stack Overflow in HTTP Processing of Cookie Headers (CVE-2014-2286) * Asterisk Manager User Unauthorized Shell Access (CVE-2014-4046) * Remote crash when handling out of call message in certain dialplan configurations (CVE-2014-6610) * Mixed IP address families in access control lists may permit unwanted traffic (CVE-2014-8412) * AMI permission escalation through DB dialplan function (CVE-2014-8418) * when registering a SIP TLS device, asterisk does not properly handle a null byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority (CVE-2015-3008)
Upstream Debian package version 1:1.8.13.1~dfsg1-3+deb7u5 fixes these additional issues: * channels/chan_sip.c in Asterisk when chan_sip has a certain configuration, allows remote authenticated users to cause a denial of service (channel and file descriptor consumption) via an INVITE request with a (1) Session-Expires or (2) Min-SE header with a malformed or invalid value (CVE-2014-2287) * The overlap dialing feature in chan_sip allows chan_sip to report to a device that the number that has been dialed is incomplete and more digits are required. If this functionality is used with a device that has performed username/password authentication RTP resources are leaked. This occurs because the code fails to release the old RTP resources before allocating new ones in this scenario. If all resources are used then RTP port exhaustion will occur and no RTP sessions are able to be set up (CVE-2016-7551)
1:1.8.13.1~dfsg1-3+deb7u6 fixes a regression in +deb7u5
1:1.8.13.1~dfsg1-3+deb7u7 fixes: * Unauthorized command execution is possible. The app_minivm module has an "externnotify" program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from an untrusted source, a crafted caller-id name or number allows an arbitrary shell command injection (CVE-2017-14100)
UCS 4.1 shipped version 1:11.13.1~dfsg-2~bpo70+1 of asterisk. So we gotta track the jessie (deb8) updates and possibly backport patches: Upstream Debian package version 1:11.13.1~dfsg-2+deb8u1 fixes: * AST-2016-007: Fix RTP Resource Exhaustion (CVE-2016-7551) (Closes: #838832) * AST-2015-003: Fix TLS Certificate Common name NULL byte exploit (CVE-2015-3008) (Closes: #782411) * AST-2016-003: Fix crash in UDPTL (CVE-2016-2232) * AST-2016-002: File descriptor exhaustion in chan_sip (CVE-2016-2316) * AST-2016-001: BEAST vulnerability in HTTP server (CVE-2011-3389) Upstream Debian package version 1:11.13.1~dfsg-2+deb8u2 fixes: * AST-2016-009: non-printable ASCII chars treated as whitespace (CVE-2016-9938) (Closes: #847668) Upstream Debian package version 1:11.13.1~dfsg-2+deb8u3 fixes: * In res/res_rtp_asterisk.c unauthorized data disclosure (media takeover in the RTP stack) is possible with careful timing by an attacker. The "strictrtp" option in rtp.conf enables a feature of the RTP stack that learns the source address of media for a session and drops any packets that do not originate from the expected address. This option is enabled by default in Asterisk 11 and above. The "nat" and "rtp_symmetric" options (for chan_sip and chan_pjsip, respectively) enable symmetric RTP support in the RTP stack. This uses the source address of incoming media as the target address of any sent media. This option is not enabled by default, but is commonly enabled to handle devices behind NAT. A change was made to the strict RTP support in the RTP stack to better tolerate late media when a reinvite occurs. When combined with the symmetric RTP support, this introduced an avenue where media could be hijacked. Instead of only learning a new address when expected, the new code allowed a new source address to be learned at all times. If a flood of RTP traffic was received, the strict RTP support would allow the new address to provide media, and (with symmetric RTP enabled) outgoing traffic would be sent to this new address, allowing the media to be hijacked. Provided the attacker continued to send traffic, they would continue to receive traffic as well. (CVE-2017-14099) * unauthorized command execution is possible. The app_minivm module has an "externnotify" program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from an untrusted source, a crafted caller-id name or number allows an arbitrary shell command injection. (CVE-2017-14100) Upstream Debian package version 1:11.13.1~dfsg-2+deb8u4 fixes: * insufficient RTCP packet validation could allow reading stale buffer contents and when combined with the "nat" and "symmetric_rtp" options allow redirecting where Asterisk sends the next RTCP report (CVE-2017-14603)
I've cherrypicked the package from UCS 4.1-0 to errata4.1-4 and extracted the new debian/patches from 1:11.13.1~dfsg-2+deb8u4 to svn/patches. Package rebuilt was successfull. Advisory: asterisk.yaml
OK - patches OK - asterisk installation OK - YAML hint: unmaintained is required for the asterisk installation (already before this update)
This warning came when publishing the Errata: E: These old packages need to be updated in the appcenter: asterisk4ucs_20150310: asterisk-config 1:1.8.13.1~dfsg1-3.14.201403131157 asterisk4ucs_20150310: asterisk-voicemail 1:1.8.13.1~dfsg1-3.14.201403131157 asterisk4ucs_20150310: asterisk-modules 1:1.8.13.1~dfsg1-3.14.201403131157 asterisk4ucs_20150310: asterisk 1:1.8.13.1~dfsg1-3.14.201403131157 I guess that's ok.
<http://errata.software-univention.de/ucs/4.1/480.html>