From ${URL}: Description A remotely exploitable crash vulnerability exists in the PJSIP channel driver's pub/sub framework. If an attempt is made to unsubscribe when not currently subscribed and the endpoint's "sub_min_expiry" is set to zero, Asterisk tries to create an expiration timer with zero seconds, which is not allowed, so an assertion raised. Resolution Upgrade to a version with the patch integrated, apply the patch, or make sure the "sub_min_expiry" endpoint configuration option is greater than zero. Affected Versions Product Release Series Asterisk Open Source 12.x All Corrected In Product Release Asterisk Open Source 12.x 12.3.1
And also, from http://seclists.org/bugtraq/2014/Jun/111 Description When a SIP transaction timeout caused a subscription to be terminated, the action taken by Asterisk was guaranteed to deadlock the thread on which SIP requests are serviced. Note that this behavior could only happen on established subscriptions, meaning that this could only be exploited if an attacker bypassed authentication and successfully subscribed to a real resource on the Asterisk server. Resolution The socket-servicing thread is now no longer capable of dispatching synchronous tasks to other threads since that may result in deadlocks. Affected Versions Product Release Series Asterisk Open Source 12.x All versions Corrected In Product Release Asterisk Open Source 12.3.1
asterisk 12.x is masked, then the bug is invalid.
+*asterisk-12.3.1 (14 Jun 2014) + + 14 Jun 2014; Tony Vroon <chainsaw@gentoo.org> -asterisk-12.1.1.ebuild, + -asterisk-12.2.0.ebuild, -asterisk-12.3.0.ebuild, +asterisk-12.3.1.ebuild: + And now for the 12 branch, which has additional vulnerabilities in the PJSIP + channel driver. MixMonitor AMI command allowed arbitrary shell commands to be + executed (AST-2014-006). Upstream replacement of plain broken SSL read + implementation as part of an HTTPS denial of service (AST-2014-007) finally + fixes ASTERISK-18345 after almost three years. Relevant downstream patch + removed, this means we were very likely not vulnerable. Resolves a remote + crash in publish/subscribe framework (AST-2014-005) due to deadlock on a + synchronously dispatched task. All ebuilds in this branch are masked; no stabilisation required but vulnerable ebuilds removed from tree. Handled in bug #513102 due to closure of this report.
CVE-2014-4048 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4048): The PJSIP Channel Driver in Asterisk Open Source before 12.3.1 allows remote attackers to cause a denial of service (deadlock) by terminating a subscription request before it is complete, which triggers a SIP transaction timeout. CVE-2014-4045 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4045): The Publish/Subscribe Framework in the PJSIP channel driver in Asterisk Open Source 12.x before 12.3.1, when sub_min_expiry is set to zero, allows remote attackers to cause a denial of service (assertion failure and crash) via an unsubscribe request when not subscribed to the device.
