Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 920026 (CVE-2023-37457, CVE-2023-49294, CVE-2023-49786) - <net-misc/asterisk-{18.20.2,20.5.2}: denial of service via dtls hello
Summary: <net-misc/asterisk-{18.20.2,20.5.2}: denial of service via dtls hello
Status: IN_PROGRESS
Alias: CVE-2023-37457, CVE-2023-49294, CVE-2023-49786
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/asterisk/asterisk/...
Whiteboard: B3 [stable?]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2023-12-15 12:43 UTC by Christopher Fore
Modified: 2024-02-03 20:28 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Fore 2023-12-15 12:43:30 UTC 
CVE-2023-49786 (https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq):

When handling DTLS-SRTP for media setup, Asterisk is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack.



The above is fixed in 18.20.1, 20.5.1, 21.0.1, and 18.9-cert6
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-12-22 00:13:43 UTC 
Looks like there were a few vulnerabilities fixed in 18.20.1/20.5.1 according to their release announcements (http://lists.digium.com/pipermail/asterisk-announce/2023-December/000895.html, http://lists.digium.com/pipermail/asterisk-announce/2023-December/000896.html):

"The following security advisories were resolved in this release:
- [Path traversal via AMI GetConfig allows access to outside files](https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f)
- [Asterisk susceptible to Denial of Service via DTLS Hello packets during call initiation](https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq)
- [PJSIP logging allows attacker to inject fake Asterisk log entries ](https://github.com/asterisk/asterisk/security/advisories/GHSA-5743-x3p5-3rg7)
- [PJSIP_HEADER dialplan function can overwrite memory/cause crash when using 'update'](https://github.com/asterisk/asterisk/security/advisories/GHSA-98rc-4j27-74hh)"

In order, these are:

- CVE-2023-49294
- CVE-2023-49786
- no CVE (yet?)
- CVE-2023-37457
Comment 2 Larry the Git Cow gentoo-dev 2024-01-05 05:14:10 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e024067d4fa9dc6181c04c764ee850c3ac862bd9

commit e024067d4fa9dc6181c04c764ee850c3ac862bd9
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2024-01-04 18:32:43 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-01-05 05:12:42 +0000

    net-misc/asterisk: add 20.5.2
    
    Bug: https://bugs.gentoo.org/920026
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/asterisk/Manifest               |   1 +
 net-misc/asterisk/asterisk-20.5.2.ebuild | 358 +++++++++++++++++++++++++++++++
 2 files changed, 359 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f27df10719add680b313fc8c51c50d5f4bccd9c9

commit f27df10719add680b313fc8c51c50d5f4bccd9c9
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2024-01-04 15:01:04 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-01-05 05:12:42 +0000

    net-misc/asterisk: add 18.20.2
    
    Bug: https://bugs.gentoo.org/920026
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/asterisk/Manifest                |   1 +
 net-misc/asterisk/asterisk-18.20.2.ebuild | 362 ++++++++++++++++++++++++++++++
 2 files changed, 363 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-02-03 20:28:30 UTC 
Thanks! Please stable when ready.