Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:28270
HistoryJul 11, 2012 - 12:00 a.m.

AST-2012-010: Possible resource leak on uncompleted re-invite transactions

2012-07-1100:00:00
vulners.com
4
           Asterisk Project Security Advisory - AST-2012-010

     Product        Asterisk                                              
     Summary        Possible resource leak on uncompleted re-invite       
                    transactions                                          
Nature of Advisory  Denial of Service                                     
  Susceptibility    Remote authenticated sessions                         
     Severity       Minor                                                 
  Exploits Known    No                                                    
   Reported On      June 13, 2012                                         
   Reported By      Steve Davies                                          
    Posted On       July 5, 2012                                          
 Last Updated On    July 5, 2012                                          
 Advisory Contact   Terry Wilson <[email protected]>                     
     CVE Name       TBD                                                   

Description  If Asterisk sends a re-invite and an endpoint responds to    
             the re-invite with a provisional response but never sends a  
             final response, then the SIP dialog structure is never       
             freed and the RTP ports for the call are never released. If  
             an attacker has the ability to place a call, they could      
             create a denial of service by using all available RTP        
             ports.                                                       

Resolution  A re-invite that receives a provisional response without a    
            final response is detected and properly cleaned up at         
            hangup.                                                       

                           Affected Versions
            Product                Release Series     
     Asterisk Open Source               1.8.x         All versions        
     Asterisk Open Source               10.x          All versions        
   Asterisk Business Edition            C.3.x         All versions        
      Certified Asterisk            1.8.11-certx      All versions        
     Asterisk Digiumphones       10.x.x-digiumphones  All versions        

                              Corrected In
               Product                              Release               
         Asterisk Open Source                   1.8.13.1, 10.5.2          
      Asterisk Business Edition                     C.3.7.5               
          Certified Asterisk                      1.8.11-cert4            
        Asterisk Digiumphones                 10.5.2-digiumphones         

                                Patches                         
                             URL                                Revision  

http://downloads.asterisk.org/pub/security/AST-2012-010-1.8.diff Asterisk
1.8
http://downloads.asterisk.org/pub/security/AST-2012-010-10.diff Asterisk
10

   Links     https://issues.asterisk.org/jira/browse/ASTERISK-19992       

Asterisk Project Security Advisories are posted at                        
http://www.asterisk.org/security                                          
                                                                          
This document may be superseded by later versions; if so, the latest      
version will be posted at                                                 
http://downloads.digium.com/pub/security/AST-2012-010.pdf and             
http://downloads.digium.com/pub/security/AST-2012-010.html                

                            Revision History
      Date                  Editor                 Revisions Made         
06/27/2012         Terry Wilson              Initial Release              

           Asterisk Project Security Advisory - AST-2012-010
          Copyright (c) 2012 Digium, Inc. All Rights Reserved.

Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.