Vulnerability roundup 114: asterisk-18.5.1: 6 advisories [9.8]

[ckauhaus]

search, files

• [ ] CVE-2021-37706 CVSSv3=9.8 (nixos-21.11)
• [ ] CVE-2022-23608 CVSSv3=9.8 (nixos-21.11)
• [ ] CVE-2022-26651 CVSSv3=9.8 (nixos-21.11)
• [ ] CVE-2022-21723 CVSSv3=9.1 (nixos-21.11)
• [ ] CVE-2022-26499 CVSSv3=9.1 (nixos-21.11)
• [ ] CVE-2022-26498 CVSSv3=7.5 (nixos-21.11)

CVE details

CVE-2021-37706

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all users that use STUN. A malicious actor located within the victim’s network may forge and send a specially crafted UDP (STUN) message that could remotely execute arbitrary code on the victim’s machine. Users are advised to upgrade as soon as possible. There are no known workarounds.

CVE-2022-23608

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions up to and including 2.11.1 when in a dialog set (or forking) scenario, a hash key shared by multiple UAC dialogs can potentially be prematurely freed when one of the dialogs is destroyed . The issue may cause a dialog set to be registered in the hash table multiple times (with different hash keys) leading to undefined behavior such as dialog list collision which eventually leading to endless loop. A patch is available in commit db3235953baa56d2fb0e276ca510fefca751643f which will be included in the next release. There are no known workarounds for this issue.

CVE-2022-26651

An issue was discovered in Asterisk through 19.x and Certified Asterisk through 16.8-cert13. The func_odbc module provides possibly inadequate escaping functionality for backslash characters in SQL queries, resulting in user-provided data creating a broken SQL query or possibly a SQL injection. This is fixed in 16.25.2, 18.11.2, and 19.3.2, and 16.8-cert14.

CVE-2022-21723

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions 2.11.1 and prior, parsing an incoming SIP message that contains a malformed multipart can potentially cause out-of-bound read access. This issue affects all PJSIP users that accept SIP multipart. The patch is available as commit in the master branch. There are no known workarounds.

CVE-2022-26499

An SSRF issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it's possible to send arbitrary requests (such as GET) to interfaces such as localhost by using the Identity header. This is fixed in 16.25.2, 18.11.2, and 19.3.2.

CVE-2022-26498

An issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it is possible to download files that are not certificates. These files could be much larger than what one would expect to download, leading to Resource Exhaustion. This is fixed in 16.25.2, 18.11.2, and 19.3.2.

---

Scanned versions: nixos-21.11: 3c5ae9be1f1.

Cc @DerTim1 Cc @auntieNeo Cc @yorickvp

[yorickvP]

We no longer support nixos-21.11, but this has been fixed in the currently supported NixOS versions:

• nixos-22.05: asterisk-16.26.1, asterisk-19.4.1, asterisk-18.12.1
• nixos-unstable: asterisk-16.26.1, asterisk-19.4.1, asterisk-18.12.1