Vigil@nce - Asterisk Open Source: denial of service via chan_sip
February 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can configure Asterisk Open Source, in order to raise
its resource consumption.
Impacted products: Asterisk Open Source, Fedora.
Severity: 1/4.
Creation date: 04/02/2016.
DESCRIPTION OF THE VULNERABILITY
The Asterisk Open Source product manages time-out in order to
detect inactive connections.
The delay is user defined in the file "sip.conf". However, when a
value greater than 1245 trigger an integer overflow which make the
timer practically ineffective. So Asterisk keep connections that
should be closed, so raising its resource consumption, notably
memory and file descriptors.
An attacker can therefore configure Asterisk Open Source, in order
to raise its resource consumption.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/Asterisk-Open-Source-denial-of-service-via-chan-sip-18870