asterisk: Multiple vulnerabilities (CVE-2018-19278, CVE-2019-7251, CVE-2019-12827, CVE-2019-13161, CVE-2019-15297, CVE-2019-15639)
CVE-2018-19278: Remote crash vulnerability DNS SRV and NAPTR lookups
There is a buffer overflow vulnerability in dns_srv and dns_naptr functions of Asterisk that allows an attacker to crash Asterisk via a specially crafted DNS SRV or NAPTR response. The attacker’s request causes Asterisk to segfault and crash.
Affected Versions:
Asterisk 15.x All releases, 16.x All releases
Fixed In Version:
Asterisk 15.6.2 , 16.0.1
Reference:
http://downloads.asterisk.org/pub/security/AST-2018-010.html
CVE-2019-7251: Remote crash vulnerability with SDP protocol violation
When Asterisk makes an outgoing call, a very specific SDP protocol violation by the remote party can cause Asterisk to crash.
Affected Versions:
Asterisk 15.x All releases, 16.x All releases
Fixed In Version:
Asterisk 15.7.2, 16.2.1
Reference:
http://downloads.asterisk.org/pub/security/AST-2019-001.html
CVE-2019-12827: Remote crash vulnerability with MESSAGE messages
A specially crafted SIP in-dialog MESSAGE message can cause Asterisk to crash.
Affected Versions:
Asterisk 13.x All releases, 15.x All releases, 16.x All releases
Fixed In Version:
Asterisk 13.27.1, 15.7.3, 16.4.1
- master: cd7e79e4
Reference:
http://downloads.asterisk.org/pub/security/AST-2019-002.html
CVE-2019-13161: Remote Crash Vulnerability in chan_sip channel driver
When T.38 faxing is done in Asterisk a T.38 reinvite may be sent to an endpoint to switch it to T.38. If the endpoint responds with an improperly formatted SDP answer including both a T.38 UDPTL stream and an audio or video stream containing only codecs not allowed on the SIP peer or user a crash will occur. The code incorrectly assumes that there will be at least one common codec when T.38 is also in the SDP answer.
This requires Asterisk to initiate a T.38 reinvite which is only done when executing the ReceiveFax dialplan application or performing T.38 passthrough where a remote endpoint has requested T.38.
Affected Versions:
Asterisk 13.x All releases, 15.x All releases, 16.x All releases
Fixed In Version:
Asterisk 13.27.1, 15.7.3, 16.4.1
- master: cd7e79e4
Reference:
http://downloads.asterisk.org/pub/security/AST-2019-003.html
CVE-2019-15297: Crash when negotiating for T.38 with a declined stream
When Asterisk sends a re-invite initiating T.38 faxing, and the endpoint responds with a declined media stream a crash will then occur in Asterisk.
Affected Versions:
Asterisk 15.x All releases, 16.x All releases
Fixed In Version:
Asterisk 15.7.4, 16.5.1
References:
http://downloads.asterisk.org/pub/security/AST-2019-004.html
CVE-2019-15639: Remote Crash Vulnerability in audio transcoding
When audio frames are given to the audio transcoding support in Asterisk the number of samples are examined and as part of this a message is output to indicate that no samples are present. A change was done to suppress this message for a particular scenario in which the message was not relevant. This change assumed that information about the origin of a frame will always exist when in reality it may not.
This issue presented itself when an RTP packet containing no audio (and thus no samples) was received. In a particular transcoding scenario this audio frame would get turned into a frame with no origin information. If this new frame was then given to the audio transcoding support a crash would occur as no samples and no origin information would be present. The transcoding scenario requires the “genericplc” option to be set to enabled (the default) and a transcoding path from the source format into signed linear and then from signed linear into another format.
Note that there may be other scenarios that have not been found which can cause an audio frame with no origin to be given to the audio transcoding support and thus cause a crash.
Affected Versions:
Asterisk 13.x 13.28.0, 16.x 16.5.0
Fixed In Version:
Asterisk 13.28.1, 16.5.1
Reference:
http://downloads.asterisk.org/pub/security/AST-2019-005.html
Affected branches:
- master
- 3.10-stable
- 3.9-stable
- 3.8-stable
- 3.7-stable