Bug#697230: asterisk: Two security issues: AST-2012-014 / AST-2012-015

Tzafrir Cohen tzafrir at cohens.org.il
Fri Jan 11 23:00:30 UTC 2013 

On Tue, Jan 08, 2013 at 06:49:56PM +0100, Moritz Mühlenhoff wrote:
> On Tue, Jan 08, 2013 at 02:45:59AM +0200, Tzafrir Cohen wrote:
> > Hi,
> > 
> > On Wed, Jan 02, 2013 at 10:56:43PM +0100, Salvatore Bonaccorso wrote:
> > > Package: asterisk
> > > Severity: grave
> > > Tags: security
> > > Justification: user security hole
> > > 
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA512
> > > 
> > > Hi,
> > > 
> > > the following vulnerabilities were published for asterisk.
> > > 
> > > CVE-2012-5976[0]:
> > > Crashes due to large stack allocations when using TCP
> > > 
> > > CVE-2012-5977[1]:
> > > Denial of Service Through Exploitation of Device State Caching
> > > 
> > > If you fix the vulnerabilities please also make sure to include the
> > > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> > > 
> > > For further information see:
> > > 
> > > [0] http://security-tracker.debian.org/tracker/CVE-2012-5976
> > > [1] http://security-tracker.debian.org/tracker/CVE-2012-5977
> > > 
> > > Please adjust the affected versions in the BTS as needed.
> > > 
> > > According to the advisories all 1.8.x versions seems affected.
> > 
> > Likewise is version 1.6.2 from Stable. I have fixes ready.
> 
> Ok, please upload to security-master once tests are sufficient.

Uploaded.

>  
> > On a side note, I'm not sure why
> > https://security-tracker.debian.org/tracker/CVE-2011-2666 is listed as
> > open. The respective bug has been closed:
> > As I mentioned before, I can change the default for alwaysauthreject,
> > I'm just not sure this should be done on a Stable package.
> 
> It's marked as 
> 
>         [squeeze] - asterisk <no-dsa> (minor issue; can be addressed through configuration)
> 
> The tracker is correct in so far, that this isn't fixed in squeeze through
> a code fix. If you provide a short text what people need to modify in their
> config we can add it to the DSA text and use this as the "fix" for stable.

Here goes:

CVE-2011-2666 (AST-2011-011) is an advisory that containd two parts:
It is gnerally useful security-wise to provide the same answer upon
authntication whether or not the authntication failed due to a missing
bad username or a bad password (to prever enumerating existing users).
Asterisk has a setting called 'alwaysauthreject' in sip.conf to do that,
but up until 1.8 its value has defaulted to "no" (different answer).

The patch of CVE-2011-2666 fixed a case that even with this set to yes,
the response is different. This was fixed in 1.6.2.9-2+squeeze3 .
However in order to avoid breaking backward compatibility the default
has remained the same. Upstream developers strongly recommend that users
set 'alwaysauthreject=yes' in the section '[general]' of sip.conf.

-- 
Tzafrir Cohen         | tzafrir at jabber.org | VIM is
http://tzafrir.org.il |                    | a Mutt's
tzafrir at cohens.org.il |                    |  best
tzafrir at debian.org    |                    | friend

More information about the Pkg-voip-maintainers mailing list