Bug 1454301 (CVE-2017-9358, CVE-2017-9359, CVE-2017-9372)

Summary: CVE-2017-9372 CVE-2017-9358 CVE-2017-9359 asterisk: Multiple security issues
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: g.devel, itamar, jsmith.fedora, rbryant
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: asterisk 13.15.1, asterisk 14.4.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:13:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1454303, 1454304    
Bug Blocks:    

Description Andrej Nemec 2017-05-22 12:14:37 UTC 
Multiple vulnerabilities were fixed in the latest version of asterisk.

AST-2017-002: Buffer Overrun in PJSIP transaction layer

A remote crash can be triggered by sending a SIP packet to Asterisk with a specially crafted CSeq header and a Via header with no branch parameter. The issue is that the PJSIP RFC 2543 transaction key generation algorithm does not allocate a large enough buffer. By overrunning the buffer, the memory allocation table becomes corrupted, leading to an eventual crash.

http://downloads.asterisk.org/pub/security/AST-2017-002.html

AST-2017-003: Crash in PJSIP multi-part body parser

The multi-part body parser in PJSIP contains a logical error that can make certain multi-part body parts attempt to read memory from outside the allowed boundaries. A specially-crafted packet can trigger these invalid reads and potentially induce a crash.

http://downloads.asterisk.org/pub/security/AST-2017-003.html

AST-2017-004: Memory exhaustion on short SCCP packets

A remote memory exhaustion can be triggered by sending an SCCP packet to Asterisk system with “chan_skinny” enabled that is larger than the length of the SCCP header but smaller than the packet length specified in the header. The loop that reads the rest of the packet doesn’t detect that the call to read() returned end-of-file before the expected number of bytes and continues infinitely. The “partial data” message logging in that tight loop causes Asterisk to exhaust all available memory.

http://downloads.asterisk.org/pub/security/AST-2017-004.html
Comment 1 Andrej Nemec 2017-05-22 12:19:13 UTC 
Created asterisk tracking bugs for this issue:

Affects: epel-6 [bug 1454303]
Affects: fedora-all [bug 1454304]
Comment 2 Andrej Nemec 2017-06-02 06:43:47 UTC 
AST-2017-004: Memory exhaustion on short SCCP packets is now CVE-2017-9358
AST-2017-003: Crash in PJSIP multi-part body parser is now CVE-2017-9359
Comment 3 Andrej Nemec 2017-06-02 14:15:35 UTC 
AST-2017-002: Buffer Overrun in PJSIP transaction layer is now CVE-2017-9372
Comment 4 Product Security DevOps Team 2019-06-08 03:13:17 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.