Vigil@nce - Asterisk: unreachable memory reading via SIP SUBSCRIBE
October 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can force a read at an invalid address in SIP
SUBSCRIBE of Asterisk, in order to trigger a denial of service.
Impacted products: Asterisk Open Source
Severity: 2/4
Creation date: 19/09/2014
DESCRIPTION OF THE VULNERABILITY
The Asterisk product uses the res_pjsip_pubsub module, which
implements the SIP SUBSCRIBE command.
However, some SIP headers force the usage of incorrect data types,
and then res_pjsip_pubsub tries to read a memory area which is not
reachable, which triggers a fatal error.
An attacker can therefore force a read at an invalid address via a
SIP SUBSCRIBE message sent to Asterisk, in order to trigger a
denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Asterisk-unreachable-memory-reading-via-SIP-SUBSCRIBE-15379