wardmundy
Nerd Uno
- Joined
- Oct 12, 2007
- Messages
- 19,206
- Reaction score
- 5,227
Be advised that a new SIP vulnerability has been identified for systems that enable SIP access from untrusted sources. This vulnerability exists in all releases of Asterisk below the following versions:
Patches for earlier versions are included below. You can read the announcement here.
Special thanks to Malcolm Davenport for the heads up.
Description
When forming an outgoing SIP request while in pedantic mode, a stack buffer can be made to overflow if supplied with carefully crafted caller ID information. This vulnerability also affects the URIENCODE dialplan function and in some versions of asterisk, the AGI dialplan application as well. The ast_uri_encode function does not properly respect the size of its output buffer and can write past the end of it when encoding URIs.
Resolution
The size of the output buffer passed to the ast_uri_encode function is now properly respected.
In asterisk versions not containing the fix for this issue, limiting strings originating from remote sources that will be URI encoded to a length of 40 characters will protect against this vulnerability.
exten => s,1,Set(CALLERID(num)=${CALLERID(num):0:40})
exten => s,n,Set(CALLERID(name)=${CALLERID(name):0:40})
exten => s,n,Dial(SIP/channel)
The CALLERID(num) and CALLERID(name) channel values, and any strings passed to the URIENCODE dialplan function should be limited in this manner.
1.4.38.1
1.6.2.15.1
1.8.2.1
Patches for earlier versions are included below. You can read the announcement here.
Special thanks to Malcolm Davenport for the heads up.
Description
When forming an outgoing SIP request while in pedantic mode, a stack buffer can be made to overflow if supplied with carefully crafted caller ID information. This vulnerability also affects the URIENCODE dialplan function and in some versions of asterisk, the AGI dialplan application as well. The ast_uri_encode function does not properly respect the size of its output buffer and can write past the end of it when encoding URIs.
Resolution
The size of the output buffer passed to the ast_uri_encode function is now properly respected.
In asterisk versions not containing the fix for this issue, limiting strings originating from remote sources that will be URI encoded to a length of 40 characters will protect against this vulnerability.
exten => s,1,Set(CALLERID(num)=${CALLERID(num):0:40})
exten => s,n,Set(CALLERID(name)=${CALLERID(name):0:40})
exten => s,n,Dial(SIP/channel)
The CALLERID(num) and CALLERID(name) channel values, and any strings passed to the URIENCODE dialplan function should be limited in this manner.