Multiple security vulnerabilities have been discovered in Asterisk, an Open
Source Private Branch Exchange.
CVE-2023-37457
The ‘update’ functionality of the PJSIP_HEADER dialplan function can exceed
the available buffer space for storing the new value of a header. By doing
so this can overwrite memory or cause a crash. This is not externally
exploitable, unless dialplan is explicitly written to update a header based
on data from an outside source. If the ‘update’ functionality is not used
the vulnerability does not occur.
CVE-2023-38703
PJSIP is a free and open source multimedia communication library written in
C with high level API in C, C++, Java, C#, and Python languages. SRTP is a
higher level media transport which is stacked upon a lower level media
transport such as UDP and ICE. Currently a higher level transport is not
synchronized with its lower level transport that may introduce a
use-after-free issue. This vulnerability affects applications that have
SRTP capability (`PJMEDIA_HAS_SRTP` is set) and use underlying media
transport other than UDP. This vulnerability’s impact may range from
unexpected application termination to control flow hijack/memory
corruption.
CVE-2023-49294
It is possible to read any arbitrary file even when the `live_dangerously`
option is not enabled.
CVE-2023-49786
Asterisk is susceptible to a DoS due to a race condition in the hello
handshake phase of the DTLS protocol when handling DTLS-SRTP for media
setup. This attack can be done continuously, thus denying new DTLS-SRTP
encrypted calls during the attack. Abuse of this vulnerability may lead to
a massive Denial of Service on vulnerable Asterisk servers for calls that
rely on DTLS-SRTP.