Bug 394095 (CVE-2011-4597)

Summary:	<net-misc/asterisk-1.8.7.2 Multiple vulnerabilities (CVE-2011-{4597,4598})
Product:	Gentoo Security	Reporter:	Sean Amoss (RETIRED) <ackle>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	chainsaw, voip+disabled
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://downloads.asterisk.org/pub/security/AST-2011-014.pdf
Whiteboard:	C3 [noglsa]
Package list:		Runtime testing required:	---

Description Sean Amoss (RETIRED) gentoo-dev

2011-12-09 01:35:38 UTC

AST-2011-013 - http://downloads.asterisk.org/pub/security/AST-2011-013.pdf

Summary: 
Possible remote enumeration of SIP endpoints with differing NAT settings

Description: 
It is possible to enumerate SIP usernames when the general and user/peer NAT settings differ in whether to respond to the port a request is sent from or the port listed for responses in the Via header. In 1.4 and 1.6.2, this would mean if one setting was nat=yes or nat=route and the other was either nat=no or nat=never. In 1.8 and 10, this would mean when one was nat=force_rport or nat=yes and the other was nat=no or nat=comedia.

Corrected In:
As this is more of an issue with SIP over UDP in general, there is no fix supplied other than documentation on how to avoid the problem. The default NAT setting has been changed to what we believe the most commonly used setting for the respective version in Asterisk 1.4.43, 1.6.2.21, and 1.8.7.2.


AST-2011-014 - http://downloads.asterisk.org/pub/security/AST-2011-014.pdf

Summary:
Remote crash possibility with SIP and the “automon” feature enabled

Description:
When the “automon” feature is enabled in features.conf, it is possible to send a sequence of SIP requests that cause Asterisk to dereference a NULL pointer and crash.

Corrected In:
Asterisk Open Source 1.6.2.21, 1.8.7.2

Comment 1 Tony Vroon (RETIRED) gentoo-dev

2011-12-12 11:24:44 UTC

+*asterisk-10.0.0_rc3 (12 Dec 2011)
+
+  12 Dec 2011; Tony Vroon <chainsaw@gentoo.org> -asterisk-10.0.0_rc2.ebuild,
+  -asterisk-10.0.0_rc2-r1.ebuild, +asterisk-10.0.0_rc3.ebuild:
+  Security update addresses AST-2011-013 (disparate general/peer NAT settings
+  exposing valid usernames) and AST-2011-014 (null pointer derefence in INFO
+  command reply if automon feature is enabled). Cull the 10 branch by removing
+  vulnerable ebuilds. For security bug #394095.

+*asterisk-1.8.7.2 (12 Dec 2011)
+
+  12 Dec 2011; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.7.1-r1.ebuild,
+  -asterisk-1.8.7.1-r2.ebuild, +asterisk-1.8.7.2.ebuild:
+  Security update addresses AST-2011-013 (disparate general/peer NAT settings
+  exposing valid usernames) and AST-2011-014 (null pointer dereference in INFO
+  command reply if automon feature is enabled). Cull the 1.8 branch by removing
+  vulnerable ebuilds except current stable. For security bug #394095.

Arches, please test and mark stable:
=net-misc/asterisk-1.8.7.2
Target KEYWORDS="amd64 x86"

For testing, please try several USE-flag combinations and see if the resulting binary can be stopped and started for several cycles on the default configuration files. The wrapper will inform you if the binary failed to start or stop normally, which is a test failure.

Comment 2 Agostino Sarubbo gentoo-dev

2011-12-12 15:35:57 UTC

C3 because will not happen with default config.

I have filed bug 394459. It is not a blocker.

Comment 3 Ian Delaney (RETIRED) gentoo-dev

2011-12-12 17:45:15 UTC

amd64:
gentoo64 asterisk # USE="alsa bluetooth caps iconv ldap samples usb vorbis -ais -calendar curl -dahdi -debug -doc -freetds -gtalk -http -jabber -jingle -lua -mysql -newt odbc -osplookup -oss -portaudio -postgres -radius -snmp span speex sqlite -sqlite3 -srtp -static -syslog" emerge asterisk

gentoo64 asterisk # /etc/init.d/asterisk restart
 * asterisk: waiting for net.wlan0 (50 seconds)
 * WARNING: asterisk is scheduled to start when net.wlan0 has started
gentoo64 asterisk # /etc/init.d/asterisk restart
 * Killing wrapper script ...                                                                                                   [ ok ]
 * Stopping asterisk PBX gracefully ...                                                                                         [ ok ]
 * Starting asterisk PBX ...
 *   Core dump size            : unlimited
 *   Core dump location        : /var/lib/asterisk/coredump
 *   Max open filedescriptors  : 4096
 *   Starting asterisk as      : asterisk                                                                                       [ ok ]

all system good all system go

Comment 4 Agostino Sarubbo gentoo-dev

2011-12-12 18:40:51 UTC

Works too for me.

Stable for AMD64, thanks Ian.

Comment 5 GLSAMaker/CVETool Bot gentoo-dev

2011-12-15 18:48:10 UTC

CVE-2011-4598 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4598):
  channels/chan_sip.c in Asterisk Open Source 1.6.2.x before 1.6.2.21 and
  1.8.x before 1.8.7.2, when automon is enabled, allows remote attackers to
  cause a denial of service (NULL pointer dereference and daemon crash) via a
  crafted sequence of SIP requests.

CVE-2011-4597 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4597):
  The SIP over UDP implementation in Asterisk Open Source 1.4.x before 1.4.43,
  1.6.x before 1.6.2.21, and 1.8.x before 1.8.7.2 uses different port numbers
  for responses to invalid requests depending on whether a SIP username
  exists, which allows remote attackers to enumerate usernames via a series of
  requests.

Comment 6 Markus Meier gentoo-dev

2011-12-26 14:31:26 UTC

x86 stable, all arches done.

Comment 7 Agostino Sarubbo gentoo-dev

2011-12-26 14:32:40 UTC

@security, please vote.

Comment 8 Tim Sammut (RETIRED) gentoo-dev

2011-12-27 05:20:37 UTC

Thanks, folks. GLSA Vote: no.

Comment 9 Sean Amoss (RETIRED) gentoo-dev

2012-02-22 20:51:13 UTC

GLSA vote: no. Closing [noglsa]