From URL: "* AST-2022-001: res_stir_shaken: resource exhaustion with large files When using STIR/SHAKEN, it???s possible to download files that are not certificates. These files could be much larger than what you would expect to download. * AST-2022-002: res_stir_shaken: SSRF vulnerability with Identity header When using STIR/SHAKEN, it???s possible to send arbitrary requests like GET to interfaces such as localhost using the Identity header. * AST-2022-003: func_odbc: Possible SQL Injection Some databases can use backslashes to escape certain characters, such as backticks. If input is provided to func_odbc which includes backslashes it is possible for func_odbc to construct a broken SQL query and the SQL query to fail."
CVE-2022-26498 (https://downloads.asterisk.org/pub/security/AST-2022-001.html): An issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it is possible to download files that are not certificates. These files could be much larger than what one would expect to download, leading to Resource Exhaustion. This is fixed in 16.25.2, 18.11.2, and 19.3.2. CVE-2022-26499 (https://downloads.asterisk.org/pub/security/AST-2022-002.html): An SSRF issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it's possible to send arbitrary requests (such as GET) to interfaces such as localhost by using the Identity header. This is fixed in 16.25.2, 18.11.2, and 19.3.2. CVE-2022-26651 (https://downloads.asterisk.org/pub/security/AST-2022-003.html): An issue was discovered in Asterisk through 19.x and Certified Asterisk through 16.8-cert13. The func_odbc module provides possibly inadequate escaping functionality for backslash characters in SQL queries, resulting in user-provided data creating a broken SQL query or possibly a SQL injection. This is fixed in 16.25.2, 18.11.2, and 19.3.2, and 16.8-cert14.
From the release announcements for 16.26.0, 18.12.0, 19.4.0: "Security bugs fixed in this release: ----------------------------------- * ASTERISK-29476 - res_stir_shaken: Blind SSRF vulnerabilities (Reported by Clint Ruoho) * ASTERISK-29838 - ${SQL_ESC()} not correctly escaping a terminating \ (Reported by Leandro Dardini) * ASTERISK-29872 - res_stir_shaken: Resource exhaustion with large files (Reported by Benjamin Keith Ford)"
CVE-2022-31031 (https://github.com/pjsip/pjproject/commit/450baca94f475345542c6953832650c390889202): https://github.com/pjsip/pjproject/security/advisories/GHSA-26j7-ww69-c4qj PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions prior to and including 2.12.1 a stack buffer overflow vulnerability affects PJSIP users that use STUN in their applications, either by: setting a STUN server in their account/media config in PJSUA/PJSUA2 level, or directly using `pjlib-util/stun_simple` API. A patch is available in commit 450baca which should be included in the next release. There are no known workarounds for this issue.
Please stabilize when ready.
Please cleanup when ready.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=006a4ff040508d3179c5050cc60273017edf9198 commit 006a4ff040508d3179c5050cc60273017edf9198 Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2022-08-23 08:28:26 +0000 Commit: Matthew Smith <matthew@gentoo.org> CommitDate: 2022-08-23 08:49:24 +0000 net-misc/asterisk: Remove <18.13.0:18 (security) Bug: https://bugs.gentoo.org/838391 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Closes: https://github.com/gentoo/gentoo/pull/26919 Signed-off-by: Matthew Smith <matthew@gentoo.org> net-misc/asterisk/Manifest | 3 - net-misc/asterisk/asterisk-18.10.0-r1.ebuild | 366 --------------------------- net-misc/asterisk/asterisk-18.8.0-r1.ebuild | 366 --------------------------- net-misc/asterisk/asterisk-18.9.0-r1.ebuild | 366 --------------------------- 4 files changed, 1101 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9e85822eb60d0f8b3b3a991f4031c990ac1cce9b commit 9e85822eb60d0f8b3b3a991f4031c990ac1cce9b Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2022-08-23 08:27:20 +0000 Commit: Matthew Smith <matthew@gentoo.org> CommitDate: 2022-08-23 08:49:21 +0000 net-misc/asterisk: Remove <16.26.1:16 (security) Bug: https://bugs.gentoo.org/838391 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Signed-off-by: Matthew Smith <matthew@gentoo.org> net-misc/asterisk/Manifest | 3 - net-misc/asterisk/asterisk-16.22.0-r1.ebuild | 367 --------------------------- net-misc/asterisk/asterisk-16.23.0-r1.ebuild | 367 --------------------------- net-misc/asterisk/asterisk-16.24.0-r1.ebuild | 367 --------------------------- 4 files changed, 1104 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7d58a9bedd50b381637d0434afd06c0d1911db46 commit 7d58a9bedd50b381637d0434afd06c0d1911db46 Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2022-08-23 08:26:05 +0000 Commit: Matthew Smith <matthew@gentoo.org> CommitDate: 2022-08-23 08:49:17 +0000 net-misc/asterisk: remove :13 (security) Bug: https://bugs.gentoo.org/838391 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Signed-off-by: Matthew Smith <matthew@gentoo.org> net-misc/asterisk/Manifest | 1 - net-misc/asterisk/asterisk-13.38.3-r3.ebuild | 353 ----------------- .../files/asterisk-13.18.1-r2-autoconf-2.70.patch | 10 - .../asterisk-13.38.1-r1-autoconf-lua-version.patch | 56 --- .../asterisk-13.38.2-r1-menuselect-exitcodes.patch | 67 ---- ...sterisk-13.38.2-r2-func_odbc_minargs-ARGC.patch | 180 --------- .../asterisk-13.38.2-r3-func_lock-fix-races.patch | 421 --------------------- .../asterisk-historic-no-var-run-install.patch | 14 - .../files/asterisk.tmpfiles-13.38.3-r2.conf | 1 - net-misc/asterisk/files/confd-13.32.0 | 160 -------- net-misc/asterisk/files/initd-13.38.3-r2 | 362 ------------------ 11 files changed, 1625 deletions(-)
Thanks!
The SQL injection one is potentially a massive problem if external info can be provided via things like DTMF :). DTMF by itself doesn't provide for the required digits, so I don't see HOW this can be exploited practically, perhaps if data from a CURL() request is incorporated into the SQL queries, or more trivially via CLI in the form "ex\ploi\there" <+27...@whatever> in the From: or To: headers. So this warrants a GLSA in my opinion. Don't know of anyone actively using STIR/SHAKEN (yet). We've most certainly not seen relevant tags on PSTN yet. This can possibly be exploited via unauthenticated SIP INVITE's, such as unsolicited INVITEs for based on _sip._udp.example.com kind of requests, so not sure if this truly is a real world problem, but better safe than sorry.
