Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 668848 (CVE-2018-12227, CVE-2018-17281) - <net-misc/asterisk-13.23.1: multiple vulnerabilities (CVE-2018-{12227,17281})
Summary: <net-misc/asterisk-13.23.1: multiple vulnerabilities (CVE-2018-{12227,17281})
Status: RESOLVED FIXED
Alias: CVE-2018-12227, CVE-2018-17281
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.asterisk.org/downloads/se...
Whiteboard: B3 [glsa+ cve cleanup]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-17 00:59 UTC by Vlad K.
Modified: 2018-11-24 19:46 UTC (History)
1 user (show)

See Also:
Package list:
net-misc/asterisk-13.23.1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Vlad K. 2018-10-17 00:59:55 UTC
* CVE-2018-12227
  PJSIP endpoint presence disclosure when using ACL

  http://downloads.asterisk.org/pub/security/AST-2018-008.html

  When endpoint specific ACL rules block a SIP request they respond with a 403
  forbidden. However, if an endpoint is not identified then a 401 unauthorized
  response is sent. This vulnerability just discloses which requests hit a
  defined endpoint. The ACL rules cannot be bypassed to gain access to the
  disclosed endpoints.

  
* CVE-2018-17281
  Remote crash vulnerability in HTTP websocket upgrade

  http://downloads.asterisk.org/pub/security/AST-2018-009.html

  There is a stack overflow vulnerability in the res_http_websocket.so module
  of Asterisk that allows an attacker to crash Asterisk via a specially crafted
  HTTP request to upgrade the connection to a websocket. The attacker’s request
  causes Asterisk to run out of stack space and crash.
Comment 1 Larry the Git Cow gentoo-dev 2018-10-17 08:29:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8979cd86bc10fb98bb70fc9a710d17912af73982

commit 8979cd86bc10fb98bb70fc9a710d17912af73982
Author:     Tony Vroon <chainsaw@gentoo.org>
AuthorDate: 2018-10-17 08:26:36 +0000
Commit:     Tony Vroon <chainsaw@gentoo.org>
CommitDate: 2018-10-17 08:29:28 +0000

    net-misc/asterisk: CVE-2018-12227, CVE-2018-17281
    
    Version bump to 13.23.1 to address 2 security vulnerabilities.
    
    CVE-2018-12227: PJSIP information disclosure
    SIP requests blocked by ACL respond 403 for an endpoint that
    exists and 401 for an endpoint that does not, allowing an
    attacker to identify valid accounts.
    
    CVE-2018-17281: HTTP websocket stack overflow
    An attacker can exhaust available stack space and crash the
    running Asterisk instance by sending a specially crafted HTTP
    request to res_http_websocket.so
    
    Bug: https://bugs.gentoo.org/668848
    Signed-Off-By: Tony Vroon <chainsaw@gentoo.org>
    Package-Manager: Portage-2.3.49, Repoman-2.3.11

 net-misc/asterisk/Manifest                |   1 +
 net-misc/asterisk/asterisk-13.23.1.ebuild | 327 ++++++++++++++++++++++++++++++
 2 files changed, 328 insertions(+)
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2018-10-17 12:08:36 UTC
x86 stable
Comment 3 Agostino Sarubbo gentoo-dev 2018-10-17 16:10:37 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 4 Tony Vroon (RETIRED) gentoo-dev 2018-10-18 08:09:38 UTC
Clean-up is complete. Maintainer recommends GLSA due to remote crash & information disclosure.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2018-11-09 23:53:40 UTC
Can you please verify that the bugs in Bug #645710 and Bug #636972 are fixed as part of this version release. We can then release a GLSA for all three of them.
Comment 6 Tony Vroon (RETIRED) gentoo-dev 2018-11-12 08:46:08 UTC
(In reply to Yury German from comment #5)
> Can you please verify that the bugs in Bug #645710 and Bug #636972 are fixed
> as part of this version release. We can then release a GLSA for all three of
> them.

"13.18.4 and older" // CVE-2017-17850 // #645710 <- Yes
"before 13.18.1" // CVE-2017-16672 // #636972 <- Yes
"before 13.18.1" // CVE-2017-16671 // #636972 <- Yes
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2018-11-13 01:05:00 UTC
Thank you for feedback and the work, GLSA Request created for all 3

Maintainer(s), please drop the vulnerable version(s).
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2018-11-24 19:46:23 UTC
This issue was resolved and addressed in
 GLSA 201811-11 at https://security.gentoo.org/glsa/201811-11
by GLSA coordinator Aaron Bauman (b-man).