CVE-2024-42491 – A malformed Contact or Record-Route URI in an incoming SIP request can cause Asterisk to crash when res_resolver_unbound is used
https://notcve.org/view.php?id=CVE-2024-42491
Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.24.3, 20.9.3, and 21.4.3 of Asterisk and versions 18.9-cert12 and 20.7-cert2 of certified-asterisk, if Asterisk attempts to send a SIP request to a URI whose host portion starts with `.1` or `[.1]`, and res_resolver_unbound is loaded, Asterisk will crash with a SEGV. To receive a patch, users should upgrade to one of the following versions: 18.24.3, 20.9.3, 21.4.3, certified-18.9-cert12, certified-20.7-cert2. Two workarounds are available. Disable res_resolver_unbound by setting `noload = res_resolver_unbound.so` in modules.conf, or set `rewrite_contact = yes` on all PJSIP endpoints. • https://github.com/asterisk/asterisk/commit/42a2f4ccfa2c7062a15063e765916b3332e34cc4 https://github.com/asterisk/asterisk/commit/4f01669c7c41c9184f3cce9a3cf1b2ebf6201742 https://github.com/asterisk/asterisk/commit/50bf8d4d3064930d28ecf1ce3397b14574d514d2 https://github.com/asterisk/asterisk/commit/7a0090325bfa9d778a39ae5f7d0a98109e4651c8 https://github.com/asterisk/asterisk/commit/a15050650abf09c10a3c135fab148220cd41d3a0 https://github.com/asterisk/asterisk/security/advisories/GHSA-v428-g3cw-7hv9 • CWE-252: Unchecked Return Value CWE-476: NULL Pointer Dereference •
CVE-2024-42365 – Asterisk allows `Write=originate` as sufficient permissions for code execution / `System()` dialplan
https://notcve.org/view.php?id=CVE-2024-42365
Asterisk is an open source private branch exchange (PBX) and telephony toolkit. Prior to asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2, an AMI user with `write=originate` may change all configuration files in the `/etc/asterisk/` directory. This occurs because they are able to curl remote files and write them to disk, but are also able to append to existing files using the `FILE` function inside the `SET` application. This issue may result in privilege escalation, remote code execution and/or blind server-side request forgery with arbitrary protocol. Asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2 contain a fix for this issue. • https://github.com/asterisk/asterisk/blob/14367caaf7241df1eceea7c45c5b261989c2c6db/main/manager.c#L6426 https://github.com/asterisk/asterisk/blob/7d28165cb1b2d02d66e8693bd3fe23ee72fc55d8/main/manager.c#L6426 https://github.com/asterisk/asterisk/commit/42a2f4ccfa2c7062a15063e765916b3332e34cc4 https://github.com/asterisk/asterisk/commit/7a0090325bfa9d778a39ae5f7d0a98109e4651c8 https://github.com/asterisk/asterisk/commit/b4063bf756272254b160b6d1bd6e9a3f8e16cc71 https://github.com/asterisk/asterisk/commit/bbe68db10ab8a80c29db383e4dfe14f6eafaf993 https://github.com/asterisk/asterisk • CWE-267: Privilege Defined With Unsafe Actions CWE-1220: Insufficient Granularity of Access Control •
CVE-2024-35190 – Asterisk' res_pjsip_endpoint_identifier_ip: wrongly matches ALL unauthorized SIP requests
https://notcve.org/view.php?id=CVE-2024-35190
Asterisk is an open source private branch exchange and telephony toolkit. After upgrade to 18.23.0, ALL unauthorized SIP requests are identified as PJSIP Endpoint of local asterisk server. This vulnerability is fixed in 18.23.1, 20.8.1, and 21.3.1. Asterisk es un conjunto de herramientas de telefonía y centralita privada de código abierto. Después de la actualización a 18.23.0, TODAS las solicitudes SIP no autorizadas se identifican como endpoint PJSIP del servidor asterisk local. • https://github.com/asterisk/asterisk/commit/85241bd22936cc15760fd1f65d16c98be7aeaf6d https://github.com/asterisk/asterisk/pull/600 https://github.com/asterisk/asterisk/pull/602 https://github.com/asterisk/asterisk/security/advisories/GHSA-qqxj-v78h-hrf9 • CWE-303: Incorrect Implementation of Authentication Algorithm CWE-480: Use of Incorrect Operator CWE-670: Always-Incorrect Control Flow Implementation •
CVE-2023-49786 – Asterisk susceptible to Denial of Service via DTLS Hello packets during call initiation
https://notcve.org/view.php?id=CVE-2023-49786
Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1; as well as certified-asterisk prior to 18.9-cert6; Asterisk is susceptible to a DoS due to a race condition in the hello handshake phase of the DTLS protocol when handling DTLS-SRTP for media setup. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable Asterisk servers for calls that rely on DTLS-SRTP. Commit d7d7764cb07c8a1872804321302ef93bf62cba05 contains a fix, which is part of versions 18.20.1, 20.5.1, 21.0.1, amd 18.9-cert6. • http://packetstormsecurity.com/files/176251/Asterisk-20.1.0-Denial-Of-Service.html http://seclists.org/fulldisclosure/2023/Dec/24 http://www.openwall.com/lists/oss-security/2023/12/15/7 https://github.com/EnableSecurity/advisories/tree/master/ES2023-01-asterisk-dtls-hello-race https://github.com/asterisk/asterisk/commit/d7d7764cb07c8a1872804321302ef93bf62cba05 https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-703: Improper Check or Handling of Exceptional Conditions •
CVE-2023-37457 – Asterisk's PJSIP_HEADER dialplan function can overwrite memory/cause crash when using 'update'
https://notcve.org/view.php?id=CVE-2023-37457
Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk versions 18.20.0 and prior, 20.5.0 and prior, and 21.0.0; as well as ceritifed-asterisk 18.9-cert5 and prior, the 'update' functionality of the PJSIP_HEADER dialplan function can exceed the available buffer space for storing the new value of a header. By doing so this can overwrite memory or cause a crash. This is not externally exploitable, unless dialplan is explicitly written to update a header based on data from an outside source. If the 'update' functionality is not used the vulnerability does not occur. • https://github.com/asterisk/asterisk/commit/a1ca0268254374b515fa5992f01340f7717113fa https://github.com/asterisk/asterisk/security/advisories/GHSA-98rc-4j27-74hh https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •