Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:31680
HistoryFeb 02, 2015 - 12:00 a.m.

AST-2015-001: File descriptor leak when incompatible codecs are offered

2015-02-0200:00:00
vulners.com
14
JSON
           Asterisk Project Security Advisory - AST-2015-001

     Product        Asterisk                                              
     Summary        File descriptor leak when incompatible codecs are     
                    offered                                               
Nature of Advisory  Resource exhaustion                                   
  Susceptibility    Remote Authenticated Sessions                         
     Severity       Major                                                 
  Exploits Known    No                                                    
   Reported On      6 January, 2015                                       
   Reported By      Y Ateya                                               
    Posted On       9 January, 2015                                       
 Last Updated On    January 28, 2015                                      
 Advisory Contact   Mark Michelson <mmichelson AT digium DOT com>         
     CVE Name       Pending                                               

Description  Asterisk may be configured to only allow specific audio or   
             video codecs to be used when communicating with a            
             particular endpoint. When an endpoint sends an SDP offer     
             that only lists codecs not allowed by Asterisk, the offer    
             is rejected. However, in this case, RTP ports that are       
             allocated in the process are not reclaimed.                  
                                                                          
             This issue only affects the PJSIP channel driver in          
             Asterisk. Users of the chan_sip channel driver are not       
             affected.                                                    
                                                                          
             As the resources are allocated after authentication, this    
             issue only affects communications with authenticated         
             endpoints.                                                   

Resolution  The reported leak has been patched.                           

                           Affected Versions       
                     Product                       Release  
                                                   Series   
              Asterisk Open Source                  1.8.x   Unaffected    
              Asterisk Open Source                  11.x    Unaffected    
              Asterisk Open Source                  12.x    All versions  
              Asterisk Open Source                  13.x    All versions  
               Certified Asterisk                  1.8.28   Unaffected    
               Certified Asterisk                   11.6    Unaffected    

                              Corrected In                
                        Product                              Release      
                  Asterisk Open Source                    12.8.1, 13.1.1  

                                Patches                          
                            SVN URL                              Revision

http://downloads.asterisk.org/pub/security/AST-2015-001-12.diff Asterisk
12
http://downloads.asterisk.org/pub/security/AST-2015-001-13.diff Asterisk
13

Links  https://issues.asterisk.org/jira/browse/ASTERISK-24666             

Asterisk Project Security Advisories are posted at                        
http://www.asterisk.org/security                                          
                                                                          
This document may be superseded by later versions; if so, the latest      
version will be posted at                                                 
http://downloads.digium.com/pub/security/AST-2015-001.pdf and             
http://downloads.digium.com/pub/security/AST-2015-001.html                

                            Revision History
     Date            Editor                  Revisions Made               
9 January, 2015  Mark Michelson  Initial creation                         

           Asterisk Project Security Advisory - AST-2015-001
          Copyright (c) 2015 Digium, Inc. All Rights Reserved.

Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

JSON