The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5358 advisory.
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. Buffer overread is possible when parsing a specially crafted STUN message with unknown attribute. The vulnerability affects applications that uses STUN including PJNATH and PJSUA-LIB. The patch is available as a commit in the master branch (2.13.1). (CVE-2022-23537)
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. This issue is similar to GHSA-9pfh-r8x4-w26w. Possible buffer overread when parsing a certain STUN message. The vulnerability affects applications that uses STUN including PJNATH and PJSUA-LIB. The patch is available as commit in the master branch. (CVE-2022-23547)
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions prior to and including 2.12.1 a stack buffer overflow vulnerability affects PJSIP users that use STUN in their applications, either by: setting a STUN server in their account/media config in PJSUA/PJSUA2 level, or directly using pjlib-util/stun_simple
API. A patch is available in commit 450baca which should be included in the next release. There are no known workarounds for this issue. (CVE-2022-31031)
In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x through 19.6.0, an incoming Setup message to addons/ooh323c/src/ooq931.c with a malformed Calling or Called Party IE can cause a crash. (CVE-2022-37325)
PJSIP is a free and open source multimedia communication library written in C. In versions of PJSIP prior to 2.13 the PJSIP parser, PJMEDIA RTP decoder, and PJMEDIA SDP parser are affeced by a buffer overflow vulnerability. Users connecting to untrusted clients are at risk. This issue has been patched and is available as commit c4d3498 in the master branch and will be included in releases 2.13 and later. Users are advised to upgrade. There are no known workarounds for this issue. (CVE-2022-39244)
PJSIP is a free and open source multimedia communication library written in C. When processing certain packets, PJSIP may incorrectly switch from using SRTP media transport to using basic RTP upon SRTP restart, causing the media to be sent insecurely. The vulnerability impacts all PJSIP users that use SRTP.
The patch is available as commit d2acb9a in the master branch of the project and will be included in version 2.13. Users are advised to manually patch or to upgrade. There are no known workarounds for this vulnerability. (CVE-2022-39269)
A use-after-free in res_pjsip_pubsub.c in Sangoma Asterisk 16.28, 18.14, 19.6, and certified/18.9-cert2 may allow a remote authenticated attacker to crash Asterisk (denial of service) by performing activity on a subscription via a reliable transport at the same time that Asterisk is also performing activity on that subscription. (CVE-2022-42705)
An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and certified through 18.9-cert1. GetConfig, via Asterisk Manager Interface, allows a connected application to access files outside of the asterisk configuration directory, aka Directory Traversal. (CVE-2022-42706)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dsa-5358. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('compat.inc');
if (description)
{
script_id(171882);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/02/24");
script_cve_id(
"CVE-2022-23537",
"CVE-2022-23547",
"CVE-2022-31031",
"CVE-2022-37325",
"CVE-2022-39244",
"CVE-2022-39269",
"CVE-2022-42705",
"CVE-2022-42706"
);
script_name(english:"Debian DSA-5358-1 : asterisk - security update");
script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
script_set_attribute(attribute:"description", value:
"The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the
dsa-5358 advisory.
- PJSIP is a free and open source multimedia communication library written in C language implementing
standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. Buffer overread is possible when
parsing a specially crafted STUN message with unknown attribute. The vulnerability affects applications
that uses STUN including PJNATH and PJSUA-LIB. The patch is available as a commit in the master branch
(2.13.1). (CVE-2022-23537)
- PJSIP is a free and open source multimedia communication library written in C language implementing
standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. This issue is similar to
GHSA-9pfh-r8x4-w26w. Possible buffer overread when parsing a certain STUN message. The vulnerability
affects applications that uses STUN including PJNATH and PJSUA-LIB. The patch is available as commit in
the master branch. (CVE-2022-23547)
- PJSIP is a free and open source multimedia communication library written in C language implementing
standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions prior to and including
2.12.1 a stack buffer overflow vulnerability affects PJSIP users that use STUN in their applications,
either by: setting a STUN server in their account/media config in PJSUA/PJSUA2 level, or directly using
`pjlib-util/stun_simple` API. A patch is available in commit 450baca which should be included in the next
release. There are no known workarounds for this issue. (CVE-2022-31031)
- In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x through 19.6.0, an incoming
Setup message to addons/ooh323c/src/ooq931.c with a malformed Calling or Called Party IE can cause a
crash. (CVE-2022-37325)
- PJSIP is a free and open source multimedia communication library written in C. In versions of PJSIP prior
to 2.13 the PJSIP parser, PJMEDIA RTP decoder, and PJMEDIA SDP parser are affeced by a buffer overflow
vulnerability. Users connecting to untrusted clients are at risk. This issue has been patched and is
available as commit c4d3498 in the master branch and will be included in releases 2.13 and later. Users
are advised to upgrade. There are no known workarounds for this issue. (CVE-2022-39244)
- PJSIP is a free and open source multimedia communication library written in C. When processing certain
packets, PJSIP may incorrectly switch from using SRTP media transport to using basic RTP upon SRTP
restart, causing the media to be sent insecurely. The vulnerability impacts all PJSIP users that use SRTP.
The patch is available as commit d2acb9a in the master branch of the project and will be included in
version 2.13. Users are advised to manually patch or to upgrade. There are no known workarounds for this
vulnerability. (CVE-2022-39269)
- A use-after-free in res_pjsip_pubsub.c in Sangoma Asterisk 16.28, 18.14, 19.6, and certified/18.9-cert2
may allow a remote authenticated attacker to crash Asterisk (denial of service) by performing activity on
a subscription via a reliable transport at the same time that Asterisk is also performing activity on that
subscription. (CVE-2022-42705)
- An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and
certified through 18.9-cert1. GetConfig, via Asterisk Manager Interface, allows a connected application to
access files outside of the asterisk configuration directory, aka Directory Traversal. (CVE-2022-42706)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/asterisk");
script_set_attribute(attribute:"see_also", value:"https://www.debian.org/security/2023/dsa-5358");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-23537");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-23547");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-31031");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-37325");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-39244");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-39269");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-42705");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-42706");
script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/bullseye/asterisk");
script_set_attribute(attribute:"solution", value:
"Upgrade the asterisk packages.
For the stable distribution (bullseye), these problems have been fixed in version 1");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-31031");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-39244");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/06/09");
script_set_attribute(attribute:"patch_publication_date", value:"2023/02/23");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/02/24");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk-config");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk-dahdi");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk-doc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk-mobile");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk-modules");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk-mp3");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk-mysql");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk-ooh323");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk-tests");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk-voicemail");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk-voicemail-imapstorage");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk-voicemail-odbcstorage");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk-vpb");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Debian Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(11)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 11.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);
var pkgs = [
{'release': '11.0', 'prefix': 'asterisk', 'reference': '1:16.28.0~dfsg-0+deb11u2'},
{'release': '11.0', 'prefix': 'asterisk-config', 'reference': '1:16.28.0~dfsg-0+deb11u2'},
{'release': '11.0', 'prefix': 'asterisk-dahdi', 'reference': '1:16.28.0~dfsg-0+deb11u2'},
{'release': '11.0', 'prefix': 'asterisk-dev', 'reference': '1:16.28.0~dfsg-0+deb11u2'},
{'release': '11.0', 'prefix': 'asterisk-doc', 'reference': '1:16.28.0~dfsg-0+deb11u2'},
{'release': '11.0', 'prefix': 'asterisk-mobile', 'reference': '1:16.28.0~dfsg-0+deb11u2'},
{'release': '11.0', 'prefix': 'asterisk-modules', 'reference': '1:16.28.0~dfsg-0+deb11u2'},
{'release': '11.0', 'prefix': 'asterisk-mp3', 'reference': '1:16.28.0~dfsg-0+deb11u2'},
{'release': '11.0', 'prefix': 'asterisk-mysql', 'reference': '1:16.28.0~dfsg-0+deb11u2'},
{'release': '11.0', 'prefix': 'asterisk-ooh323', 'reference': '1:16.28.0~dfsg-0+deb11u2'},
{'release': '11.0', 'prefix': 'asterisk-tests', 'reference': '1:16.28.0~dfsg-0+deb11u2'},
{'release': '11.0', 'prefix': 'asterisk-voicemail', 'reference': '1:16.28.0~dfsg-0+deb11u2'},
{'release': '11.0', 'prefix': 'asterisk-voicemail-imapstorage', 'reference': '1:16.28.0~dfsg-0+deb11u2'},
{'release': '11.0', 'prefix': 'asterisk-voicemail-odbcstorage', 'reference': '1:16.28.0~dfsg-0+deb11u2'},
{'release': '11.0', 'prefix': 'asterisk-vpb', 'reference': '1:16.28.0~dfsg-0+deb11u2'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var _release = NULL;
var prefix = NULL;
var reference = NULL;
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (_release && prefix && reference) {
if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : deb_report_get()
);
exit(0);
}
else
{
var tested = deb_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'asterisk / asterisk-config / asterisk-dahdi / asterisk-dev / etc');
}
Vendor | Product | Version | CPE |
---|---|---|---|
debian | debian_linux | asterisk | p-cpe:/a:debian:debian_linux:asterisk |
debian | debian_linux | asterisk-config | p-cpe:/a:debian:debian_linux:asterisk-config |
debian | debian_linux | asterisk-dahdi | p-cpe:/a:debian:debian_linux:asterisk-dahdi |
debian | debian_linux | asterisk-dev | p-cpe:/a:debian:debian_linux:asterisk-dev |
debian | debian_linux | asterisk-doc | p-cpe:/a:debian:debian_linux:asterisk-doc |
debian | debian_linux | asterisk-mobile | p-cpe:/a:debian:debian_linux:asterisk-mobile |
debian | debian_linux | asterisk-modules | p-cpe:/a:debian:debian_linux:asterisk-modules |
debian | debian_linux | asterisk-mp3 | p-cpe:/a:debian:debian_linux:asterisk-mp3 |
debian | debian_linux | asterisk-mysql | p-cpe:/a:debian:debian_linux:asterisk-mysql |
debian | debian_linux | asterisk-ooh323 | p-cpe:/a:debian:debian_linux:asterisk-ooh323 |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23537
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23547
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31031
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37325
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39244
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39269
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42705
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42706
packages.debian.org/source/bullseye/asterisk
security-tracker.debian.org/tracker/CVE-2022-23537
security-tracker.debian.org/tracker/CVE-2022-23547
security-tracker.debian.org/tracker/CVE-2022-31031
security-tracker.debian.org/tracker/CVE-2022-37325
security-tracker.debian.org/tracker/CVE-2022-39244
security-tracker.debian.org/tracker/CVE-2022-39269
security-tracker.debian.org/tracker/CVE-2022-42705
security-tracker.debian.org/tracker/CVE-2022-42706
security-tracker.debian.org/tracker/source-package/asterisk
www.debian.org/security/2023/dsa-5358