Lucene search

K
nessusThis script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.DEBIAN_DSA-5358.NASL
HistoryFeb 24, 2023 - 12:00 a.m.

Debian DSA-5358-1 : asterisk - security update

2023-02-2400:00:00
This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
28
debian 11
security update
pjsip
sangoma asterisk
vulnerabilities
buffer overflow
denial of service
directory traversal
remote code execution
cve-2022-23537
cve-2022-23547
cve-2022-31031
cve-2022-37325
cve-2022-39244
cve-2022-39269
cve-2022-42705
cve-2022-42706
nessus scanner

EPSS

0.004

Percentile

72.1%

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5358 advisory.

  • PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. Buffer overread is possible when parsing a specially crafted STUN message with unknown attribute. The vulnerability affects applications that uses STUN including PJNATH and PJSUA-LIB. The patch is available as a commit in the master branch (2.13.1). (CVE-2022-23537)

  • PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. This issue is similar to GHSA-9pfh-r8x4-w26w. Possible buffer overread when parsing a certain STUN message. The vulnerability affects applications that uses STUN including PJNATH and PJSUA-LIB. The patch is available as commit in the master branch. (CVE-2022-23547)

  • PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions prior to and including 2.12.1 a stack buffer overflow vulnerability affects PJSIP users that use STUN in their applications, either by: setting a STUN server in their account/media config in PJSUA/PJSUA2 level, or directly using pjlib-util/stun_simple API. A patch is available in commit 450baca which should be included in the next release. There are no known workarounds for this issue. (CVE-2022-31031)

  • In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x through 19.6.0, an incoming Setup message to addons/ooh323c/src/ooq931.c with a malformed Calling or Called Party IE can cause a crash. (CVE-2022-37325)

  • PJSIP is a free and open source multimedia communication library written in C. In versions of PJSIP prior to 2.13 the PJSIP parser, PJMEDIA RTP decoder, and PJMEDIA SDP parser are affeced by a buffer overflow vulnerability. Users connecting to untrusted clients are at risk. This issue has been patched and is available as commit c4d3498 in the master branch and will be included in releases 2.13 and later. Users are advised to upgrade. There are no known workarounds for this issue. (CVE-2022-39244)

  • PJSIP is a free and open source multimedia communication library written in C. When processing certain packets, PJSIP may incorrectly switch from using SRTP media transport to using basic RTP upon SRTP restart, causing the media to be sent insecurely. The vulnerability impacts all PJSIP users that use SRTP.
    The patch is available as commit d2acb9a in the master branch of the project and will be included in version 2.13. Users are advised to manually patch or to upgrade. There are no known workarounds for this vulnerability. (CVE-2022-39269)

  • A use-after-free in res_pjsip_pubsub.c in Sangoma Asterisk 16.28, 18.14, 19.6, and certified/18.9-cert2 may allow a remote authenticated attacker to crash Asterisk (denial of service) by performing activity on a subscription via a reliable transport at the same time that Asterisk is also performing activity on that subscription. (CVE-2022-42705)

  • An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and certified through 18.9-cert1. GetConfig, via Asterisk Manager Interface, allows a connected application to access files outside of the asterisk configuration directory, aka Directory Traversal. (CVE-2022-42706)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dsa-5358. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('compat.inc');

if (description)
{
  script_id(171882);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/02/24");

  script_cve_id(
    "CVE-2022-23537",
    "CVE-2022-23547",
    "CVE-2022-31031",
    "CVE-2022-37325",
    "CVE-2022-39244",
    "CVE-2022-39269",
    "CVE-2022-42705",
    "CVE-2022-42706"
  );

  script_name(english:"Debian DSA-5358-1 : asterisk - security update");

  script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
  script_set_attribute(attribute:"description", value:
"The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the
dsa-5358 advisory.

  - PJSIP is a free and open source multimedia communication library written in C language implementing
    standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. Buffer overread is possible when
    parsing a specially crafted STUN message with unknown attribute. The vulnerability affects applications
    that uses STUN including PJNATH and PJSUA-LIB. The patch is available as a commit in the master branch
    (2.13.1). (CVE-2022-23537)

  - PJSIP is a free and open source multimedia communication library written in C language implementing
    standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. This issue is similar to
    GHSA-9pfh-r8x4-w26w. Possible buffer overread when parsing a certain STUN message. The vulnerability
    affects applications that uses STUN including PJNATH and PJSUA-LIB. The patch is available as commit in
    the master branch. (CVE-2022-23547)

  - PJSIP is a free and open source multimedia communication library written in C language implementing
    standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions prior to and including
    2.12.1 a stack buffer overflow vulnerability affects PJSIP users that use STUN in their applications,
    either by: setting a STUN server in their account/media config in PJSUA/PJSUA2 level, or directly using
    `pjlib-util/stun_simple` API. A patch is available in commit 450baca which should be included in the next
    release. There are no known workarounds for this issue. (CVE-2022-31031)

  - In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x through 19.6.0, an incoming
    Setup message to addons/ooh323c/src/ooq931.c with a malformed Calling or Called Party IE can cause a
    crash. (CVE-2022-37325)

  - PJSIP is a free and open source multimedia communication library written in C. In versions of PJSIP prior
    to 2.13 the PJSIP parser, PJMEDIA RTP decoder, and PJMEDIA SDP parser are affeced by a buffer overflow
    vulnerability. Users connecting to untrusted clients are at risk. This issue has been patched and is
    available as commit c4d3498 in the master branch and will be included in releases 2.13 and later. Users
    are advised to upgrade. There are no known workarounds for this issue. (CVE-2022-39244)

  - PJSIP is a free and open source multimedia communication library written in C. When processing certain
    packets, PJSIP may incorrectly switch from using SRTP media transport to using basic RTP upon SRTP
    restart, causing the media to be sent insecurely. The vulnerability impacts all PJSIP users that use SRTP.
    The patch is available as commit d2acb9a in the master branch of the project and will be included in
    version 2.13. Users are advised to manually patch or to upgrade. There are no known workarounds for this
    vulnerability. (CVE-2022-39269)

  - A use-after-free in res_pjsip_pubsub.c in Sangoma Asterisk 16.28, 18.14, 19.6, and certified/18.9-cert2
    may allow a remote authenticated attacker to crash Asterisk (denial of service) by performing activity on
    a subscription via a reliable transport at the same time that Asterisk is also performing activity on that
    subscription. (CVE-2022-42705)

  - An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and
    certified through 18.9-cert1. GetConfig, via Asterisk Manager Interface, allows a connected application to
    access files outside of the asterisk configuration directory, aka Directory Traversal. (CVE-2022-42706)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/asterisk");
  script_set_attribute(attribute:"see_also", value:"https://www.debian.org/security/2023/dsa-5358");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-23537");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-23547");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-31031");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-37325");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-39244");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-39269");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-42705");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-42706");
  script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/bullseye/asterisk");
  script_set_attribute(attribute:"solution", value:
"Upgrade the asterisk packages.

For the stable distribution (bullseye), these problems have been fixed in version 1");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-31031");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-39244");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/06/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/02/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/02/24");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk-config");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk-dahdi");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk-mobile");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk-modules");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk-mp3");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk-mysql");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk-ooh323");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk-tests");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk-voicemail");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk-voicemail-imapstorage");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk-voicemail-odbcstorage");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk-vpb");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Debian Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);

var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(11)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 11.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);

var pkgs = [
    {'release': '11.0', 'prefix': 'asterisk', 'reference': '1:16.28.0~dfsg-0+deb11u2'},
    {'release': '11.0', 'prefix': 'asterisk-config', 'reference': '1:16.28.0~dfsg-0+deb11u2'},
    {'release': '11.0', 'prefix': 'asterisk-dahdi', 'reference': '1:16.28.0~dfsg-0+deb11u2'},
    {'release': '11.0', 'prefix': 'asterisk-dev', 'reference': '1:16.28.0~dfsg-0+deb11u2'},
    {'release': '11.0', 'prefix': 'asterisk-doc', 'reference': '1:16.28.0~dfsg-0+deb11u2'},
    {'release': '11.0', 'prefix': 'asterisk-mobile', 'reference': '1:16.28.0~dfsg-0+deb11u2'},
    {'release': '11.0', 'prefix': 'asterisk-modules', 'reference': '1:16.28.0~dfsg-0+deb11u2'},
    {'release': '11.0', 'prefix': 'asterisk-mp3', 'reference': '1:16.28.0~dfsg-0+deb11u2'},
    {'release': '11.0', 'prefix': 'asterisk-mysql', 'reference': '1:16.28.0~dfsg-0+deb11u2'},
    {'release': '11.0', 'prefix': 'asterisk-ooh323', 'reference': '1:16.28.0~dfsg-0+deb11u2'},
    {'release': '11.0', 'prefix': 'asterisk-tests', 'reference': '1:16.28.0~dfsg-0+deb11u2'},
    {'release': '11.0', 'prefix': 'asterisk-voicemail', 'reference': '1:16.28.0~dfsg-0+deb11u2'},
    {'release': '11.0', 'prefix': 'asterisk-voicemail-imapstorage', 'reference': '1:16.28.0~dfsg-0+deb11u2'},
    {'release': '11.0', 'prefix': 'asterisk-voicemail-odbcstorage', 'reference': '1:16.28.0~dfsg-0+deb11u2'},
    {'release': '11.0', 'prefix': 'asterisk-vpb', 'reference': '1:16.28.0~dfsg-0+deb11u2'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var _release = NULL;
  var prefix = NULL;
  var reference = NULL;
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (_release && prefix && reference) {
    if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : deb_report_get()
  );
  exit(0);
}
else
{
  var tested = deb_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'asterisk / asterisk-config / asterisk-dahdi / asterisk-dev / etc');
}
VendorProductVersionCPE
debiandebian_linuxasteriskp-cpe:/a:debian:debian_linux:asterisk
debiandebian_linuxasterisk-configp-cpe:/a:debian:debian_linux:asterisk-config
debiandebian_linuxasterisk-dahdip-cpe:/a:debian:debian_linux:asterisk-dahdi
debiandebian_linuxasterisk-devp-cpe:/a:debian:debian_linux:asterisk-dev
debiandebian_linuxasterisk-docp-cpe:/a:debian:debian_linux:asterisk-doc
debiandebian_linuxasterisk-mobilep-cpe:/a:debian:debian_linux:asterisk-mobile
debiandebian_linuxasterisk-modulesp-cpe:/a:debian:debian_linux:asterisk-modules
debiandebian_linuxasterisk-mp3p-cpe:/a:debian:debian_linux:asterisk-mp3
debiandebian_linuxasterisk-mysqlp-cpe:/a:debian:debian_linux:asterisk-mysql
debiandebian_linuxasterisk-ooh323p-cpe:/a:debian:debian_linux:asterisk-ooh323
Rows per page:
1-10 of 161

References