Asterisk Project Security Advisory - AST-2018-002 Product Asterisk Summary Crash when given an invalid SDP media format description Nature of Advisory Remote crash Susceptibility Remote Authenticated Sessions Severity Minor Exploits Known No Reported On January 15, 2018 Reported By Sandro Gauci Posted On February 21, 2018 Last Updated On February 19, 2018 Advisory Contact Kevin Harwell <kharwell AT diguim DOT com> CVE Name Description By crafting an SDP message with an invalid media format description Asterisk crashes when using the pjsip channel driver because pjproject's sdp parsing algorithm fails to catch the invalid media format description. The severity of this vulnerability is lessened since an endpoint must be authenticated prior to reaching the crash point, or it's configured with no authentication. Resolution Stricter validation is now done when pjproject parses an SDP's media format description. Invalid values are now properly handled. Affected Versions Product Release Series Asterisk Open Source 13.x All Releases Asterisk Open Source 14.x All Releases Asterisk Open Source 15.x All Releases Certified Asterisk 13.18 All Releases Corrected In Product Release Asterisk Open Source 13.19.2, 14.7.6, 15.2.2 Certified Asterisk 13.18-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2018-002-13.diff Asterisk 13 http://downloads.asterisk.org/pub/security/AST-2018-002-14.diff Asterisk 14 http://downloads.asterisk.org/pub/security/AST-2018-002-15.diff Asterisk 15 http://downloads.asterisk.org/pub/security/AST-2018-002-13.18.diff Certified Asterisk 13.18 Links https://issues.asterisk.org/jira/browse/ASTERISK-27582 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2018-002.pdf and http://downloads.digium.com/pub/security/AST-2018-002.html Revision History Date Editor Revisions Made January 30, 2018 Kevin Harwell Initial Revision Asterisk Project Security Advisory - AST-2018-002 Copyright (c) 2018 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-announce mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-announce