The great folks on Digium’s security team published two security advisories this week that could lead to remote crashes of an Asterisk server.
The first, AST-2013-004, Remote Crash From Late Arriving SIP ACK With SDP, has this description:
A remotely exploitable crash vulnerability exists in the SIP channel driver if an ACK with SDP is received after the channel has been terminated. The handling code incorrectly assumes that the channel will always be present.
The second, AST-2013-005, Remote Crash when Invalid SDP is sent in SIP Request, has this description:
A remotely exploitable crash vulnerability exists in the SIP channel driver if an invalid SDP is sent in a SIP request that defines media descriptions before connection information. The handling code incorrectly attempts to reference the socket address information even though that information has not yet been set.
My one critique of the security advisories is that they don’t contain any “mitigating circumstances” that explain the circumstances under which the vulnerabilities could be exploited. For instance, it would seem from reading the documents that at least in the first case there would need to be a successful SIP connection established first – and then ended – before the packet could be received that would cause the crash. Unfortunately I don’t personally know Asterisk’s internals well enough to comment on that.
Regardless, the fix here is to upgrade to the latest versions of Asterisk as documented in the security advisories.
Kudos to the Digium folks for issuing these advisories and continuing their clear process of letting people know about security within Asterisk.