
<div dir="auto"></div><div class="gmail_quote">---------- Mensagem encaminhada ----------<br>De: &quot;Asterisk Security Team&quot; &lt;<a href="mailto:security@asterisk.org">security@asterisk.org</a>&gt;<br>Data: 4 de abr de 2017 11:51<br>Assunto: [asterisk-dev] AST-2017-001: Buffer overflow in CDR&#39;s set user<br>Para:  &lt;<a href="mailto:asterisk-dev@lists.digium.com">asterisk-dev@lists.digium.com</a>&gt;<br>Cc: <br><br type="attribution">               Asterisk Project Security Advisory - AST-2017-001<br>


<br>


         Product        Asterisk<br>


         Summary        Buffer overflow in CDR&#39;s set user<br>


    Nature of Advisory  Buffer Overflow<br>


      Susceptibility    Remote Authenticated Sessions<br>


         Severity       Moderate<br>


      Exploits Known    No<br>


       Reported On      March 27, 2017<br>


       Reported By      Alex Villacis Lasso<br>


        Posted On<br>


     Last Updated On    April 4, 2017<br>


     Advisory Contact   kharwell AT digium DOT com<br>


         CVE Name<br>


<br>


    Description  No size checking is done when setting the user field on a<br>


                 CDR. Thus, it is possible for someone to use an arbitrarily<br>


                 large string and write past the end of the user field<br>


                 storage buffer. This allows the possibility of remote code<br>


                 injection.<br>


<br>


                 This currently affects any system using CDR&#39;s that also<br>


                 make use of the following:<br>


<br>


                 * The &#39;X-ClientCode&#39; header within a SIP INFO message when<br>


                 using chan_sip and<br>


<br>


                 the &#39;useclientcode&#39; option is enabled (note, it&#39;s disabled<br>


                 by default).<br>


<br>


                 * The CDR dialplan function executed from AMI when setting<br>


                 the user field.<br>


<br>


                 * The AMI Monitor action when using a long file name/path.<br>


<br>


    Resolution  The CDR engine now only copies up to the maximum allowed<br>


                characters into the user field. Any characters outside the<br>


                maximum are truncated.<br>


<br>


                               Affected Versions<br>


                         Product                       Release<br>


                                                       Series<br>


                  Asterisk Open Source                  13.x    All Releases<br>


                  Asterisk Open Source                  14.x    All Releases<br>


                   Certified Asterisk                   13.13   All Releases<br>


<br>


                                  Corrected In<br>


                            Product                              Release<br>


                      Asterisk Open Source                    13.14.1,14.3.1<br>


                       Certified Asterisk                      13.13-cert3<br>


<br>


                                     Patches<br>


                                SVN URL                               Revision<br>


   <a href="http://downloads.asterisk.org/pub/security/AST-2017-001-13.diff" rel="noreferrer" target="_blank">http://downloads.asterisk.org/<wbr>pub/security/AST-2017-001-13.<wbr>diff</a>    Asterisk<br>


                                                                      13<br>


   <a href="http://downloads.asterisk.org/pub/security/AST-2017-001-14.diff" rel="noreferrer" target="_blank">http://downloads.asterisk.org/<wbr>pub/security/AST-2017-001-14.<wbr>diff</a>    Asterisk<br>


                                                                      14<br>


   <a href="http://downloads.asterisk.org/pub/security/AST-2017-001-13.13.diff" rel="noreferrer" target="_blank">http://downloads.asterisk.org/<wbr>pub/security/AST-2017-001-13.<wbr>13.diff</a> Certified<br>


                                                                      Asterisk<br>


                                                                      13.13<br>


<br>


    Links  <a href="https://issues.asterisk.org/jira/browse/ASTERISK-26897" rel="noreferrer" target="_blank">https://issues.asterisk.org/<wbr>jira/browse/ASTERISK-26897</a><br>


<br>


    Asterisk Project Security Advisories are posted at<br>


    <a href="http://www.asterisk.org/security" rel="noreferrer" target="_blank">http://www.asterisk.org/<wbr>security</a><br>


<br>


    This document may be superseded by later versions; if so, the latest<br>


    version will be posted at<br>


    <a href="http://downloads.digium.com/pub/security/AST-2017-001.pdf" rel="noreferrer" target="_blank">http://downloads.digium.com/<wbr>pub/security/AST-2017-001.pdf</a> and<br>


    <a href="http://downloads.digium.com/pub/security/AST-2017-001.html" rel="noreferrer" target="_blank">http://downloads.digium.com/<wbr>pub/security/AST-2017-001.html</a><br>


<br>


                                Revision History<br>


         Date           Editor                   Revisions Made<br>


    March, 27, 2017  Kevin Harwell  Initial Revision<br>


<br>


               Asterisk Project Security Advisory - AST-2017-001<br>


               Copyright © 2017 Digium, Inc. All Rights Reserved.<br>


  Permission is hereby granted to distribute and publish this advisory in its<br>


                           original, unaltered form.<br>


<br>


<br>


<br>--<br>


______________________________<wbr>______________________________<wbr>_________<br>


-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" rel="noreferrer" target="_blank">http://www.api-digital.com</a> --<br>


<br>


asterisk-dev mailing list<br>


To UNSUBSCRIBE or update options visit:<br>


   <a href="http://lists.digium.com/mailman/listinfo/asterisk-dev" rel="noreferrer" target="_blank">http://lists.digium.com/<wbr>mailman/listinfo/asterisk-dev</a><br></div>