Quantcast
Channel: BOT24
Viewing all articles
Browse latest Browse all 8064

AST-2014-005: Remote Crash in PJSIP Channel Driver's Publish/Subscribe Framework

$
0
0
 Asterisk Project Security Advisory - AST-2014-005

         Product        Asterisk
         Summary        Remote Crash in PJSIP Channel Driver's
                        Publish/Subscribe Framework
    Nature of Advisory  Denial of Service
      Susceptibility    Remote Unauthenticated Sessions
         Severity       Moderate
      Exploits Known    No
       Reported On      March 17, 2014
       Reported By      John Bigelow <jbigelow AT digium DOT com>
        Posted On       June 12, 2014
     Last Updated On    June 12, 2014
     Advisory Contact   Kevin Harwell <kharwell AT digium DOT com>
         CVE Name       CVE-2014-4045

    Description  A remotely exploitable crash vulnerability exists in the
                 PJSIP channel driver's pub/sub framework. If an attempt is
                 made to unsubscribe when not currently subscribed and the
                 endpoint's "sub_min_expiry" is set to zero, Asterisk tries
                 to create an expiration timer with zero seconds, which is
                 not allowed, so an assertion raised.

    Resolution  Upgrade to a version with the patch integrated, apply the
                patch, or make sure the "sub_min_expiry" endpoint
                configuration option is greater than zero.

                               Affected Versions
                 Product               Release Series
          Asterisk Open Source              12.x       All

                                  Corrected In
                      Product                              Release
             Asterisk Open Source 12.x                      12.3.1

                                    Patches
                               SVN URL                              Revision
   http://downloads.asterisk.org/pub/security/AST-2014-005-12.diff Asterisk
                                                                   12

       Links     https://issues.asterisk.org/jira/browse/ASTERISK-23489

    Asterisk Project Security Advisories are posted at
    http://www.asterisk.org/security

    This document may be superseded by later versions; if so, the latest
    version will be posted at
    http://downloads.digium.com/pub/security/AST-2014-005.pdf and
    http://downloads.digium.com/pub/security/AST-2014-005.html

                                Revision History
          Date                  Editor                 Revisions Made
    April 14, 2014     Kevin Harwell             Document Creation
    June 12, 2014      Matt Jordan               Added CVE

               Asterisk Project Security Advisory - AST-2014-005
              Copyright (c) 2014 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

Viewing all articles
Browse latest Browse all 8064

Trending Articles