The Asterisk Development Team has announced security releases for Certified Asterisk 1.8.15, 11.6, and Asterisk 1.8, 11, and 12. The available security releases are released as versions 1.8.15-cert6, 11.6-cert3, 1.8.28.1, 11.10.1, and 12.3.1.
These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases
The release of these versions resolves the following issue:
- AST-2014-007: Denial of Service via Exhaustion of Allowed Concurrent HTTP Connections Establishing a TCP or TLS connection to the configured HTTP or HTTPS port respectively in http.conf and then not sending or completing a HTTP request will tie up a HTTP session. By doing this repeatedly until the maximum number of open HTTP sessions is reached, legitimate requests are blocked.
Additionally, the release of 11.6-cert3, 11.10.1, and 12.3.1 resolves the following issue:
- AST-2014-006: Permission Escalation via Asterisk Manager User Unauthorized Shell Access Manager users can execute arbitrary shell commands with the MixMonitor manager action. Asterisk does not require system class authorization for a manager user to use the MixMonitor action, so any manager user who is permitted to use manager commands can potentially execute shell commands as the user executing the Asterisk process.
Additionally, the release of 12.3.1 resolves the following issues:
- AST-2014-005: Remote Crash in PJSIP Channel Driver’s Publish/Subscribe Framework A remotely exploitable crash vulnerability exists in the PJSIP channel driver’s pub/sub framework. If an attempt is made to unsubscribe when not currently subscribed and the endpoint’s “sub_min_expiry” is set to zero, Asterisk tries to create an expiration timer with zero seconds, which is not allowed, so an assertion raised.
- AST-2014-008: Denial of Service in PJSIP Channel Driver Subscriptions When a SIP transaction timeout caused a subscription to be terminated, the action taken by Asterisk was guaranteed to deadlock the thread on which SIP requests are serviced. Note that this behavior could only happen on established subscriptions, meaning that this could only be exploited if an attacker bypassed authentication and successfully subscribed to a real resource on the Asterisk server.
These issues and their resolutions are described in the security advisories. For more information about the details of these vulnerabilities, please read security advisories AST-2014-005, AST-2014-006, AST-2014-007, and AST-2014-008, which were released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLogs:
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert6
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.28.1
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert3
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.10.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.3.1
The security advisories are available at:
- http://downloads.asterisk.org/pub/security/AST-2014-005.pdf
- http://downloads.asterisk.org/pub/security/AST-2014-006.pdf
- http://downloads.asterisk.org/pub/security/AST-2014-007.pdf
- http://downloads.asterisk.org/pub/security/AST-2014-008.pdf
Thank you for your continued support of Asterisk!