Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 513102 (CVE-2014-4046) - <net-misc/asterisk-{1.8.28.2,11.10.2}: Multiple Vulnerabilities (CVE-2014-{4046,4047})(AST-2014-{006,007})
Summary: <net-misc/asterisk-{1.8.28.2,11.10.2}: Multiple Vulnerabilities (CVE-2014-{40...
Status: RESOLVED FIXED
Alias: CVE-2014-4046
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://seclists.org/bugtraq/2014/Jun/110
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-06-13 12:17 UTC by Kristian Fiskerstrand
Modified: 2014-08-10 21:14 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand gentoo-dev Security 2014-06-13 12:17:07 UTC
From ${URL}: 
Description  Establishing a TCP or TLS connection to the configured HTTP  
                 or HTTPS port respectively in http.conf and then not         
                 sending or completing a HTTP request will tie up a HTTP      
                 session. By doing this repeatedly until the maximum number   
                 of open HTTP sessions is reached, legitimate requests are    
                 blocked.                                                     

Resolution  The patched versions now have a session_inactivity timeout    
                option in http.conf that defaults to 30000 ms. Users should   
                upgrade to a corrected version, apply the released patches,   
                or disable HTTP support.    
t

                               Affected Versions
                Product              Release Series  
         Asterisk Open Source            1.8.x       All versions             
         Asterisk Open Source             11.x       All versions             
         Asterisk Open Source             12.x       All versions             
          Certified Asterisk             1.8.15      All versions             
          Certified Asterisk              11.6       All versions             

                                  Corrected In
                 Product                              Release                 
          Asterisk Open Source               1.8.28.1, 11.10.1, 12.3.1        
           Certified Asterisk                1.8.15-cert6, 11.6-cert3
Comment 1 Kristian Fiskerstrand gentoo-dev Security 2014-06-13 12:59:52 UTC
Also, from http://seclists.org/bugtraq/2014/Jun/114 : 

    Description  Manager users can execute arbitrary shell commands with the  
                 MixMonitor manager action. Asterisk does not require system  
                 class authorization for a manager user to use the            
                 MixMonitor action, so any manager user who is permitted to   
                 use manager commands can potentially execute shell commands  
                 as the user executing the Asterisk process.                  

    Resolution  Upgrade to a version with the patch integrated, apply the     
                patch, or do not allow users who should not have permission   
                to run shell commands to use AMI.                             

                               Affected Versions
                 Product               Release Series  
          Asterisk Open Source              11.x       All                    
          Asterisk Open Source              12.x       All                    
           Certified Asterisk               11.6       All
Comment 2 Tony Vroon gentoo-dev 2014-06-14 12:20:25 UTC
+*asterisk-11.10.1 (14 Jun 2014)
+*asterisk-1.8.28.1 (14 Jun 2014)
+
+  14 Jun 2014; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.27.0.ebuild,
+  -asterisk-1.8.28.0.ebuild, +asterisk-1.8.28.1.ebuild,
+  -asterisk-11.9.0.ebuild, -asterisk-11.10.0.ebuild, +asterisk-11.10.1.ebuild:
+  MixMonitor AMI command allowed arbitrary shell commands to be executed
+  (AST-2014-006). Upstream replacement of plain broken SSL read implementation
+  as part of an HTTPS denial of service (AST-2014-007) finally fixes
+  ASTERISK-18345 after almost three years. Relevant downstream patch removed,
+  this means we were very likely not vulnerable.

Arches, please test & mark stable:
=net-misc/asterisk-1.8.28.1
=net-misc/asterisk-11.10.1

Test procedure is to merge with USE="samples" and ensure the init script & daemon survive three stop/start cycles. Leave at least 10 seconds between stop & start and verify using ps aux or openrc "crashed" vs "started" that the daemon is not unstable at launch.
Comment 3 Tony Vroon gentoo-dev 2014-06-14 12:35:02 UTC
+*asterisk-12.3.1 (14 Jun 2014)
+
+  14 Jun 2014; Tony Vroon <chainsaw@gentoo.org> -asterisk-12.1.1.ebuild,
+  -asterisk-12.2.0.ebuild, -asterisk-12.3.0.ebuild, +asterisk-12.3.1.ebuild:
+  And now for the 12 branch, which has additional vulnerabilities in the PJSIP
+  channel driver. MixMonitor AMI command allowed arbitrary shell commands to be
+  executed (AST-2014-006). Upstream replacement of plain broken SSL read
+  implementation as part of an HTTPS denial of service (AST-2014-007) finally
+  fixes ASTERISK-18345 after almost three years. Relevant downstream patch
+  removed, this means we were very likely not vulnerable. Resolves a remote
+  crash in publish/subscribe framework (AST-2014-005) due to deadlock on a
+  synchronously dispatched task.

All ebuilds in this branch are masked; no stabilisation required but vulnerable ebuilds removed from tree.
Comment 4 Tony Vroon gentoo-dev 2014-06-16 10:40:02 UTC
+*asterisk-11.10.2 (16 Jun 2014)
+*asterisk-1.8.28.2 (16 Jun 2014)
+
+  16 Jun 2014; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.28.1.ebuild,
+  +asterisk-1.8.28.2.ebuild, -asterisk-11.10.1.ebuild,
+  +asterisk-11.10.2.ebuild:
+  Upstream distributed a broken release that did not carry traffic for SIP over
+  TCP or SIP over TLS.

Arches, please test & mark stable:
=net-misc/asterisk-1.8.28.2
=net-misc/asterisk-11.10.2

Test procedure is to merge with USE="samples" and ensure the init script & daemon survive three stop/start cycles. Leave at least 10 seconds between stop & start and verify using ps aux or openrc "crashed" vs "started" that the daemon is not unstable at launch.
Comment 5 Tony Vroon gentoo-dev 2014-06-16 10:57:20 UTC
+*asterisk-12.3.2 (16 Jun 2014)
+
+  16 Jun 2014; Tony Vroon <chainsaw@gentoo.org> -asterisk-12.3.1.ebuild,
+  +asterisk-12.3.2.ebuild:
+  Upstream distributed a broken release that did not carry traffic for SIP over
+  TCP or SIP over TLS. This remains masked and is not recommended for
+  production deployments.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev Security 2014-06-16 13:35:35 UTC
Tony,

What are we stabilizing? There are a lot of messages but the arches need something clear to work from.
Comment 7 Kristian Fiskerstrand gentoo-dev Security 2014-06-16 13:36:54 UTC
Arches, please test & mark stable:
=net-misc/asterisk-1.8.28.2
=net-misc/asterisk-11.10.2

Test procedure is to merge with USE="samples" and ensure the init script & daemon survive three stop/start cycles. Leave at least 10 seconds between stop & start and verify using ps aux or openrc "crashed" vs "started" that the daemon is not unstable at launch.
Comment 8 Agostino Sarubbo gentoo-dev 2014-06-21 10:59:00 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-06-21 11:00:09 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 10 Tony Vroon gentoo-dev 2014-06-23 10:15:13 UTC
(In reply to Agostino Sarubbo from comment #9)
> Maintainer(s), please cleanup.

+  23 Jun 2014; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.26.1.ebuild,
+  -asterisk-11.8.1.ebuild, -asterisk-12.1.1.ebuild, -asterisk-12.2.0.ebuild:
+  Remove vulnerable ebuilds for security bug #513102, as requested by Agostino
+  "ago" Sarubbo.
Comment 11 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-06-23 16:43:04 UTC
GLSA vote: yes.
Comment 12 Yury German Gentoo Infrastructure gentoo-dev Security 2014-06-24 01:59:46 UTC
GLSA Vote: Yes
Created a New GLSA request.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2014-06-26 03:57:55 UTC
This issue was resolved and addressed in
 GLSA 201406-25 at http://security.gentoo.org/glsa/glsa-201406-25.xml
by GLSA coordinator Yury German (BlueKnight).
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2014-06-26 03:58:07 UTC
This issue was resolved and addressed in
 GLSA 201406-25 at http://security.gentoo.org/glsa/glsa-201406-25.xml
by GLSA coordinator Yury German (BlueKnight).
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2014-08-10 21:14:57 UTC
CVE-2014-4047 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4047):
  Asterisk Open Source 1.8.x before 1.8.28.1, 11.x before 11.10.1, and 12.x
  before 12.3.1 and Certified Asterisk 1.8.15 before 1.8.15-cert6 and 11.6
  before 11.6-cert3 allows remote attackers to cause a denial of service
  (connection consumption) via a large number of (1) inactive or (2)
  incomplete HTTP connections.

CVE-2014-4046 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4046):
  Asterisk Open Source 11.x before 11.10.1 and 12.x before 12.3.1 and
  Certified Asterisk 11.6 before 11.6-cert3 allows remote authenticated
  Manager users to execute arbitrary shell commands via a MixMonitor action.