Vulnerabilities > CVE-2012-3863 - Resource Management Errors vulnerability in Digium products
Attack vector
NETWORK Attack complexity
LOW Privileges required
SINGLE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.13.1 and 10.x before 10.5.2, Asterisk Business Edition C.3.x before C.3.7.5, Certified Asterisk 1.8.11-certx before 1.8.11-cert4, and Asterisk Digiumphones 10.x.x-digiumphones before 10.5.2-digiumphones does not properly handle a provisional response to a SIP reINVITE request, which allows remote authenticated users to cause a denial of service (RTP port exhaustion) via sessions that lack final responses.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Misc. NASL id ASTERISK_AST_2012_010.NASL description According to the version in its SIP banner, the version of Asterisk running on the remote host is potentially affected by a vulnerability that could allow a remote, authenticated attacker to exhaust the server of resources. If an endpoint sends a provisional response to the server last seen 2020-06-01 modified 2020-06-02 plugin id 60064 published 2012-07-19 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/60064 title Asterisk Endpoint Provisional Response Parsing RTP Port Consumption Remote DoS (AST-2012-010) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(60064); script_version("1.10"); script_cvs_date("Date: 2018/06/27 18:42:26"); script_cve_id("CVE-2012-3863"); script_bugtraq_id(54327); script_name(english:"Asterisk Endpoint Provisional Response Parsing RTP Port Consumption Remote DoS (AST-2012-010)"); script_summary(english:"Checks version in SIP banner"); script_set_attribute(attribute:"synopsis", value: "A telephony application running on the remote host is affected by a denial of service vulnerability."); script_set_attribute(attribute:"description", value: "According to the version in its SIP banner, the version of Asterisk running on the remote host is potentially affected by a vulnerability that could allow a remote, authenticated attacker to exhaust the server of resources. If an endpoint sends a provisional response to the server's re-INVITE message, certain data structures are not freed. More iterations of this sequence lead to exhaustion of all available RTP ports."); script_set_attribute(attribute:"solution", value: "Upgrade to Asterisk Open Source 1.8.13.1 / 10.5.2, Business Edition C.3.7.5, Certified Asterisk 1.8.11-cert4 or apply the patches listed in the Asterisk advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"see_also", value:"http://downloads.asterisk.org/pub/security/AST-2012-010.html"); script_set_attribute(attribute:"see_also", value:"https://issues.asterisk.org/jira/browse/ASTERISK-19992"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/07/05"); script_set_attribute(attribute:"patch_publication_date", value:"2012/07/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/07/19"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:digium:asterisk"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc."); script_dependencies("asterisk_detection.nasl"); script_require_keys("asterisk/sip_detected", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); get_kb_item_or_exit("asterisk/sip_detected"); # see if we were able to get version info from the Asterisk SIP services asterisk_kbs = get_kb_list("sip/asterisk/*/version"); if (isnull(asterisk_kbs)) exit(1, "Could not obtain any version information from the Asterisk SIP instance(s)."); # Prevent potential false positives. if (report_paranoia < 2) audit(AUDIT_PARANOID); is_vuln = FALSE; not_vuln_installs = make_list(); errors = make_list(); foreach kb_name (keys(asterisk_kbs)) { vulnerable = 0; matches = eregmatch(pattern:"/(udp|tcp)/([0-9]+)/version", string:kb_name); if (isnull(matches)) { errors = make_list(errors, "Unexpected error parsing port number from kb name: "+kb_name); continue; } proto = matches[1]; port = matches[2]; version = asterisk_kbs[kb_name]; if (version == 'unknown') { errors = make_list(errors, "Unable to obtain version of install on " + proto + "/" + port); continue; } banner = get_kb_item("sip/asterisk/" + proto + "/" + port + "/source"); if (!banner) { # We have version but banner is missing; log error # and use in version-check though. errors = make_list(errors, "KB item 'sip/asterisk/" + proto + "/" + port + "/source' is missing"); banner = 'unknown'; } # Open Source 10x < 10.5.2 if (version =~ "^10([^0-9]|$)" && "cert" >!< tolower(version)) { fixed = "10.5.2"; vulnerable = ver_compare(ver:version, fix:fixed, app:"asterisk"); } # Open Source 1.8.x < 1.8.13.1 if (version =~ "^1\.8([^0-9]|$)" && "cert" >!< tolower(version)) { fixed = "1.8.13.1"; vulnerable = ver_compare(ver:version, fix:fixed, app:"asterisk"); } # Business Edition C.3.x < C.3.7.5 if (version =~ "^C\.3\.([0-6]|7\.[0-4])([^0-9]|$)" && "cert" >!< tolower(version)) { fixed = "C.3.7.5"; vulnerable = -1; } # Asterisk Certified 1.8.11-certx < 1.8.11-cert4 if (version =~ "^1\.8\.11([^0-9]|$)" && "cert" >< tolower(version)) { fixed = "1.8.11-cert4"; vulnerable = ver_compare(ver:version, fix:fixed, app:"asterisk"); } if (vulnerable < 0) { is_vuln = TRUE; if (report_verbosity > 0) { report = '\n Version source : ' + banner + '\n Installed version : ' + version + '\n Fixed version : ' + fixed + '\n'; security_warning(port:port, proto:proto, extra:report); } else security_warning(port:port, proto:proto); } else not_vuln_installs = make_list(not_vuln_installs, version + " on port " + proto + "/" + port); } if (max_index(errors)) { if (max_index(errors) == 1) errmsg = errors[0]; else errmsg = 'Errors were encountered verifying installs : \n ' + join(errors, sep:'\n '); exit(1, errmsg); } else { installs = max_index(not_vuln_installs); if (installs == 0) { if (is_vuln) exit(0); else audit(AUDIT_NOT_INST, "Asterisk"); } else if (installs == 1) audit(AUDIT_INST_VER_NOT_VULN, "Asterisk " + not_vuln_installs[0]); else exit(0, "The Asterisk installs (" + join(not_vuln_installs, sep:", ") + ") are not affected."); }NASL family Fedora Local Security Checks NASL id FEDORA_2012-10324.NASL description The Asterisk Development Team has announced security releases for Certified Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases are released as versions 1.8.11-cert4, 1.8.13.1, 10.5.2, and 10.5.2-digiumphones. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases The release of Asterisk 1.8.11-cert4, 1.8.13.1, 10.5.2, and 10.5.2-digiumphones resolve the following two issues : - If Asterisk sends a re-invite and an endpoint responds to the re-invite with a provisional response but never sends a final response, then the SIP dialog structure is never freed and the RTP ports for the call are never released. If an attacker has the ability to place a call, they could create a denial of service by using all available RTP ports. - If a single voicemail account is manipulated by two parties simultaneously, a condition can occur where memory is freed twice causing a crash. These issues and their resolution are described in the security advisories. For more information about the details of these vulnerabilities, please read security advisories AST-2012-010 and AST-2012-011, which were released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLogs : http://downloads.asterisk.org/pub/telephony/certified-asterisk/release s/ChangeLog-1.8.11-cert4 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-1.8.13.1 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-10.5.2 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-10.5.2-digiumphones The security advisories are available at : - http://downloads.asterisk.org/pub/security/AST-2012-010. pdf - http://downloads.asterisk.org/pub/security/AST-2012-01 1.pdf Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2012-07-20 plugin id 60069 published 2012-07-20 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60069 title Fedora 17 : asterisk-10.5.2-1.fc17 (2012-10324) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2012-10324. # include("compat.inc"); if (description) { script_id(60069); script_version("1.10"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2012-3812", "CVE-2012-3863"); script_bugtraq_id(54317, 54327); script_xref(name:"FEDORA", value:"2012-10324"); script_name(english:"Fedora 17 : asterisk-10.5.2-1.fc17 (2012-10324)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "The Asterisk Development Team has announced security releases for Certified Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases are released as versions 1.8.11-cert4, 1.8.13.1, 10.5.2, and 10.5.2-digiumphones. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases The release of Asterisk 1.8.11-cert4, 1.8.13.1, 10.5.2, and 10.5.2-digiumphones resolve the following two issues : - If Asterisk sends a re-invite and an endpoint responds to the re-invite with a provisional response but never sends a final response, then the SIP dialog structure is never freed and the RTP ports for the call are never released. If an attacker has the ability to place a call, they could create a denial of service by using all available RTP ports. - If a single voicemail account is manipulated by two parties simultaneously, a condition can occur where memory is freed twice causing a crash. These issues and their resolution are described in the security advisories. For more information about the details of these vulnerabilities, please read security advisories AST-2012-010 and AST-2012-011, which were released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLogs : http://downloads.asterisk.org/pub/telephony/certified-asterisk/release s/ChangeLog-1.8.11-cert4 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-1.8.13.1 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-10.5.2 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-10.5.2-digiumphones The security advisories are available at : - http://downloads.asterisk.org/pub/security/AST-2012-010. pdf - http://downloads.asterisk.org/pub/security/AST-2012-01 1.pdf Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"http://downloads.asterisk.org/pub/security/AST-2012-010.pdf" ); script_set_attribute( attribute:"see_also", value:"http://downloads.asterisk.org/pub/security/AST-2012-011.pdf" ); # http://downloads.asterisk.org/pub/telephony/asterisk/releases script_set_attribute( attribute:"see_also", value:"http://downloads.asterisk.org/pub/telephony/asterisk/releases/" ); # http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.13.1 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?018f28b9" ); # http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.5.2 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?9a7457b9" ); # http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.5.2-digiumphones script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?4b73d250" ); # http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.11-cert4 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?07969e81" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=838178" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=838179" ); # https://lists.fedoraproject.org/pipermail/package-announce/2012-July/084037.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?b0d3841c" ); script_set_attribute( attribute:"solution", value:"Update the affected asterisk package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:asterisk"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:17"); script_set_attribute(attribute:"patch_publication_date", value:"2012/07/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/07/20"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^17([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 17.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC17", reference:"asterisk-10.5.2-1.fc17")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "asterisk"); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201209-15.NASL description The remote host is affected by the vulnerability described in GLSA-201209-15 (Asterisk: Multiple vulnerabilities) Multiple vulnerabilities have been found in Asterisk: An error in manager.c allows shell access (CVE-2012-2186). An error in Asterisk could cause all RTP ports to be exhausted (CVE-2012-3812). A double-free error could occur when two parties attempt to manipulate the same voicemail account simultaneously (CVE-2012-3863). Asterisk does not properly implement certain ACL rules (CVE-2012-4737). Impact : A remote, authenticated attacker could execute arbitrary code with the privileges of the process, cause a Denial of Service condition, or bypass outbound call restrictions. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 62344 published 2012-09-27 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62344 title GLSA-201209-15 : Asterisk: Multiple vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2550.NASL description Several vulnerabilities were discovered in Asterisk, a PBX and telephony toolkit, allowing privilege escalation in the Asterisk Manager, denial of service or privilege escalation. More detailed information can be found in the Asterisk advisories: AST-2012-010, AST-2012-011, AST-2012-012, and AST-2012-013. last seen 2020-03-17 modified 2012-09-19 plugin id 62188 published 2012-09-19 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/62188 title Debian DSA-2550-2 : asterisk - several vulnerabilities