Asterisk Project Security Advisory - AST-2014-002 Product Asterisk Summary Denial of Service Through File Descriptor Exhaustion with chan_sip Session-Timers Nature of Advisory Denial of Service Susceptibility Remote Authenticated or Anonymous Sessions Severity Moderate Exploits Known No Reported On 2014/02/25 Reported By Corey Farrell Posted On March 10, 2014 Last Updated On March 10, 2014 Advisory Contact Kinsey Moore <kmoore AT digium DOT com> CVE Name CVE-2014-2287 Description An attacker can use all available file descriptors using SIP INVITE requests. Knowledge required to achieve the attack: * Valid account credentials or anonymous dial in * A valid extension that can be dialed from the SIP account Trigger conditions: * chan_sip configured with "session-timers" set to "originate" or "accept" ** The INVITE request must contain either a Session-Expires or a Min-SE header with malformed values or values disallowed by the system's configuration. * chan_sip configured with "session-timers" set to "refuse" ** The INVITE request must offer "timer" in the "Supported" header Asterisk will respond with code 400, 420, or 422 for INVITEs meeting this criteria. Each INVITE meeting these conditions will leak a channel and several file descriptors. The file descriptors cannot be released without restarting Asterisk which may allow intrusion detection systems to be bypassed by sending the requests slowly. Resolution Upgrade to a version with the patch integrated or apply the appropriate patch. Affected Versions Product Release Series Asterisk Open Source 1.8.x All Asterisk Open Source 11.x All Asterisk Open Source 12.x All Certified Asterisk 1.8.15 All Certified Asterisk 11.6 All Corrected In Product Release Asterisk Open Source 1.8.x 1.8.26.1 Asterisk Open Source 11.x 11.8.1 Asterisk Open Source 12.x 12.1.1 Certified Asterisk 1.8.15 1.8.15-cert5 Certified Asterisk 11.6 11.6-cert2 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-002-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2014-002-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2014-002-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2014-002-11.6.diff Asterisk 11.6 Certified http://downloads.asterisk.org/pub/security/AST-2014-002-1.8.15.diff Asterisk 1.8.15 Certified Links https://issues.asterisk.org/jira/browse/ASTERISK-23373 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2014-002.pdf and http://downloads.digium.com/pub/security/AST-2014-002.html Revision History Date Editor Revisions Made 2014/03/04 Kinsey Moore Document Creation 2014/03/06 Kinsey Moore Corrections and Wording Clarification 2014/03/10 Kinsey Moore Added missing patch links Asterisk Project Security Advisory - AST-2014-002 Copyright (c) 2014 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.