AST-2014-005: Remote Crash in PJSIP Channel Driver's Publish/Subscribe Framework Jun 12 2014 08:43PM
Asterisk Security Team (security asterisk org)
Asterisk Project Security Advisory - AST-2014-005

Product Asterisk
Summary Remote Crash in PJSIP Channel Driver's
Publish/Subscribe Framework
Nature of Advisory Denial of Service
Susceptibility Remote Unauthenticated Sessions
Severity Moderate
Exploits Known No
Reported On March 17, 2014
Reported By John Bigelow <jbigelow AT digium DOT com>
Posted On June 12, 2014
Last Updated On June 12, 2014
Advisory Contact Kevin Harwell <kharwell AT digium DOT com>
CVE Name CVE-2014-4045

Description A remotely exploitable crash vulnerability exists in the
PJSIP channel driver's pub/sub framework. If an attempt is
made to unsubscribe when not currently subscribed and the
endpoint's "sub_min_expiry" is set to zero, Asterisk tries
to create an expiration timer with zero seconds, which is
not allowed, so an assertion raised.

Resolution Upgrade to a version with the patch integrated, apply the
patch, or make sure the "sub_min_expiry" endpoint
configuration option is greater than zero.

Affected Versions
Product Release Series
Asterisk Open Source 12.x All

Corrected In
Product Release
Asterisk Open Source 12.x 12.3.1

SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2014-005-12.diff Asterisk

Links https://issues.asterisk.org/jira/browse/ASTERISK-23489

Asterisk Project Security Advisories are posted at

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2014-005.pdf and

Revision History
Date Editor Revisions Made
April 14, 2014 Kevin Harwell Document Creation
June 12, 2014 Matt Jordan Added CVE

Asterisk Project Security Advisory - AST-2014-005
Copyright (c) 2014 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus