CVE-2024-42491 – A malformed Contact or Record-Route URI in an incoming SIP request can cause Asterisk to crash when res_resolver_unbound is used
https://notcve.org/view.php?id=CVE-2024-42491
Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.24.3, 20.9.3, and 21.4.3 of Asterisk and versions 18.9-cert12 and 20.7-cert2 of certified-asterisk, if Asterisk attempts to send a SIP request to a URI whose host portion starts with `.1` or `[.1]`, and res_resolver_unbound is loaded, Asterisk will crash with a SEGV. To receive a patch, users should upgrade to one of the following versions: 18.24.3, 20.9.3, 21.4.3, certified-18.9-cert12, certified-20.7-cert2. Two workarounds are available. Disable res_resolver_unbound by setting `noload = res_resolver_unbound.so` in modules.conf, or set `rewrite_contact = yes` on all PJSIP endpoints. • https://github.com/asterisk/asterisk/commit/42a2f4ccfa2c7062a15063e765916b3332e34cc4 https://github.com/asterisk/asterisk/commit/4f01669c7c41c9184f3cce9a3cf1b2ebf6201742 https://github.com/asterisk/asterisk/commit/50bf8d4d3064930d28ecf1ce3397b14574d514d2 https://github.com/asterisk/asterisk/commit/7a0090325bfa9d778a39ae5f7d0a98109e4651c8 https://github.com/asterisk/asterisk/commit/a15050650abf09c10a3c135fab148220cd41d3a0 https://github.com/asterisk/asterisk/security/advisories/GHSA-v428-g3cw-7hv9 • CWE-252: Unchecked Return Value CWE-476: NULL Pointer Dereference •
CVE-2024-42365 – Asterisk allows `Write=originate` as sufficient permissions for code execution / `System()` dialplan
https://notcve.org/view.php?id=CVE-2024-42365
Asterisk is an open source private branch exchange (PBX) and telephony toolkit. Prior to asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2, an AMI user with `write=originate` may change all configuration files in the `/etc/asterisk/` directory. This occurs because they are able to curl remote files and write them to disk, but are also able to append to existing files using the `FILE` function inside the `SET` application. This issue may result in privilege escalation, remote code execution and/or blind server-side request forgery with arbitrary protocol. Asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2 contain a fix for this issue. • https://github.com/asterisk/asterisk/blob/14367caaf7241df1eceea7c45c5b261989c2c6db/main/manager.c#L6426 https://github.com/asterisk/asterisk/blob/7d28165cb1b2d02d66e8693bd3fe23ee72fc55d8/main/manager.c#L6426 https://github.com/asterisk/asterisk/commit/42a2f4ccfa2c7062a15063e765916b3332e34cc4 https://github.com/asterisk/asterisk/commit/7a0090325bfa9d778a39ae5f7d0a98109e4651c8 https://github.com/asterisk/asterisk/commit/b4063bf756272254b160b6d1bd6e9a3f8e16cc71 https://github.com/asterisk/asterisk/commit/bbe68db10ab8a80c29db383e4dfe14f6eafaf993 https://github.com/asterisk/asterisk • CWE-267: Privilege Defined With Unsafe Actions CWE-1220: Insufficient Granularity of Access Control •
CVE-2024-35190 – Asterisk' res_pjsip_endpoint_identifier_ip: wrongly matches ALL unauthorized SIP requests
https://notcve.org/view.php?id=CVE-2024-35190
Asterisk is an open source private branch exchange and telephony toolkit. After upgrade to 18.23.0, ALL unauthorized SIP requests are identified as PJSIP Endpoint of local asterisk server. This vulnerability is fixed in 18.23.1, 20.8.1, and 21.3.1. Asterisk es un conjunto de herramientas de telefonía y centralita privada de código abierto. Después de la actualización a 18.23.0, TODAS las solicitudes SIP no autorizadas se identifican como endpoint PJSIP del servidor asterisk local. • https://github.com/asterisk/asterisk/commit/85241bd22936cc15760fd1f65d16c98be7aeaf6d https://github.com/asterisk/asterisk/pull/600 https://github.com/asterisk/asterisk/pull/602 https://github.com/asterisk/asterisk/security/advisories/GHSA-qqxj-v78h-hrf9 • CWE-303: Incorrect Implementation of Authentication Algorithm CWE-480: Use of Incorrect Operator CWE-670: Always-Incorrect Control Flow Implementation •
CVE-2021-46837
https://notcve.org/view.php?id=CVE-2021-46837
res_pjsip_t38 in Sangoma Asterisk 16.x before 16.16.2, 17.x before 17.9.3, and 18.x before 18.2.2, and Certified Asterisk before 16.8-cert7, allows an attacker to trigger a crash by sending an m=image line and zero port in a response to a T.38 re-invite initiated by Asterisk. This is a re-occurrence of the CVE-2019-15297 symptoms but not for exactly the same reason. The crash occurs because there is an append operation relative to the active topology, but this should instead be a replace operation. La función res_pjsip_t38 en Sangoma Asterisk versiones 16.x anteriores a 16.16.2, 17.x anteriores a 17.9.3, y 18.x anteriores a 18.2.2, y Certified Asterisk anteriores a 16.8-cert7, permite a un atacante desencadenar un fallo mediante el envío de una línea m=image y un puerto cero en una respuesta a una Re invitación T.38 iniciada por Asterisk. Se trata de una reaparición de los síntomas de la CVE-2019-15297 pero no exactamente por el mismo motivo. • https://downloads.asterisk.org/pub/security/AST-2021-006.html https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html https://www.debian.org/security/2022/dsa-5285 • CWE-476: NULL Pointer Dereference •
CVE-2022-23608 – Use after free in PJSIP
https://notcve.org/view.php?id=CVE-2022-23608
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions up to and including 2.11.1 when in a dialog set (or forking) scenario, a hash key shared by multiple UAC dialogs can potentially be prematurely freed when one of the dialogs is destroyed . The issue may cause a dialog set to be registered in the hash table multiple times (with different hash keys) leading to undefined behavior such as dialog list collision which eventually leading to endless loop. A patch is available in commit db3235953baa56d2fb0e276ca510fefca751643f which will be included in the next release. There are no known workarounds for this issue. • http://packetstormsecurity.com/files/166226/Asterisk-Project-Security-Advisory-AST-2022-005.html http://seclists.org/fulldisclosure/2022/Mar/1 https://github.com/pjsip/pjproject/commit/db3235953baa56d2fb0e276ca510fefca751643f https://github.com/pjsip/pjproject/security/advisories/GHSA-ffff-m5fm-qm62 https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html https://lists.debian.org/debian-lts-announce/2022/03/msg00040.html https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html https:/ • CWE-416: Use After Free •