[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] ASA-2007-013: IAX2 users can cause unauthorized data disclosure
- To: undisclosed-recipients:;
- Subject: [Full-disclosure] ASA-2007-013: IAX2 users can cause unauthorized data disclosure
- From: "Kevin P. Fleming" <kpfleming@xxxxxxxxxx>
- Date: Fri, 04 May 2007 11:20:02 -0500
> Asterisk Project Security Advisory - ASA-2007-013
>
>
> +----------------------------------------------------------------------------------+
> | Product | Asterisk
> |
>
> |----------------------+-----------------------------------------------------------|
> | Summary | IAX2 users can cause unauthorized data disclosure
> |
>
> |----------------------+-----------------------------------------------------------|
> | Nature of Advisory | Unauthorized information disclosure
> |
>
> |----------------------+-----------------------------------------------------------|
> | Susceptibility | Remote authenticated sessions
> |
>
> |----------------------+-----------------------------------------------------------|
> | Severity | Low
> |
>
> |----------------------+-----------------------------------------------------------|
> | Exploits Known | No
> |
>
> |----------------------+-----------------------------------------------------------|
> | Reported On | April 27, 2007
> |
>
> |----------------------+-----------------------------------------------------------|
> | Reported By | Tim Panton, Mexuar, <tim@xxxxxxxxxx>
> |
> | |
> |
> | | Birgit Arkesteijn, Westhawk,
> <birgit@xxxxxxxxxxxxxx> |
>
> |----------------------+-----------------------------------------------------------|
> | Posted On | May 4, 2007
> |
>
> |----------------------+-----------------------------------------------------------|
> | Last Updated On | May 4, 2007
> |
>
> |----------------------+-----------------------------------------------------------|
> | Advisory Contact | kpfleming@xxxxxxxxxx
> |
>
> |----------------------+-----------------------------------------------------------|
> | CVE Name | CVE-2007-2488
> |
>
> +----------------------------------------------------------------------------------+
>
>
> +----------------------------------------------------------------------------------+
> | Description | > From: Tim Panton <tim@xxxxxxxxxx>
> |
> | |
> |
> | | > Date: 27 April 2007 08:02:36 BDT
> |
> | |
> |
> | | > To: "Kevin P. Fleming" <kpfleming@xxxxxxxxxx>
> |
> | |
> |
> | | > Subject: Possible IAX2 vulnerability (Minor)
> |
> | |
> |
> | | >
> |
> | |
> |
> | | > We've stumbled on a bug in the way Asterisk's IAX2
> handles text |
> | |
> |
> | | > frames.
> |
> | |
> |
> | | > I'm emailing you because it is a borderline security
> |
> | | vulnerability,
> |
> | |
> |
> | | > and my
> |
> | |
> |
> | | > friends in the security world tell me that I should
> notify the |
> | |
> |
> | | > vendor privately
> |
> | |
> |
> | | > first. If you feel it isn't a security issue, let me
> know and |
> | | I'll
> |
> | |
> |
> | | > put it in mantis.
> |
> | |
> |
> | | >
> |
> | |
> |
> | | > chan_iax2 assumes that the content of a text frame is a
> null |
> | |
> |
> | | > terminated
> |
> | |
> |
> | | > string (C style), and when time comes to forward the
> string it |
> | | uses
> |
> | |
> |
> | | > strlen
> |
> | |
> |
> | | > to determine the message length.
> |
> | |
> |
> | | >
> |
> | |
> |
> | | > If you send a frame without a 0 byte in it, Asterisk
> forwards a |
> | |
> |
> | | > frame that
> |
> | |
> |
> | | > includes the sent data and some extra (presumably heap)
> data. |
> | |
> |
> | | >
> |
> | |
> |
> | | > If an attacker were lucky, the extra data could contain
> |
> | | something
> |
> | |
> |
> | | > interesting.
> |
> | |
> |
> | | > Or conceivably it could cause a segmentation violation.
> |
>
> +----------------------------------------------------------------------------------+
>
>
> +----------------------------------------------------------------------------------+
> | Resolution | Asterisk code has been modified to enforce null-termination
> of |
> | | incoming text frames received by the IAX2 channel driver
> |
> | | (chan_iax2). When text frames are received without
> |
> | | null-termination, this may result in the last byte of data
> in the |
> | | frame being lost, if the IAX2 reception process does not
> have space |
> | | in its receive buffer to add a null character.
> |
> | |
> |
> | | As this vulnerability is of 'low' severity, it does not
> justify new |
> | | releases of Asterisk solely for mitigating its impact. The
> fix for |
> | | this vulnerability has been committed to the Asterisk
> Subversion |
> | | source code repositories and is available to all users who
> wish to |
> | | upgrade to a prerelease checkout of the respective
> development |
> | | branch for their release series of Asterisk. All other
> users can |
> | | upgrade when the next regularly scheduled release of their
> product |
> | | is produced.
> |
>
> +----------------------------------------------------------------------------------+
>
>
> +----------------------------------------------------------------------------------+
> | Affected Versions
> |
>
> |----------------------------------------------------------------------------------|
> | Product | Release |
> |
> | | Series |
> |
>
> |----------------------------------+-------------+---------------------------------|
> | Asterisk Open Source | 1.0.x | has not been evaluated
> as this |
> | | | release series is no
> longer |
> | | | maintained
> |
>
> |----------------------------------+-------------+---------------------------------|
> | Asterisk Open Source | 1.2.x | all releases prior to
> 1.2.19 |
>
> |----------------------------------+-------------+---------------------------------|
> | Asterisk Open Source | 1.4.x | all releases prior to
> 1.4.4 |
>
> |----------------------------------+-------------+---------------------------------|
> | Asterisk Business Edition | A.x.x | all releases
> |
>
> |----------------------------------+-------------+---------------------------------|
> | Asterisk Business Edition | B.x.x | all releases prior to
> B.2.1 |
>
> |----------------------------------+-------------+---------------------------------|
> | AsteriskNOW | pre-release | all releases prior to
> and |
> | | | including Beta 5
> |
>
> |----------------------------------+-------------+---------------------------------|
> | Asterisk Appliance Developer Kit | 0.x.x | all releases prior to
> 0.4.1 |
>
> +----------------------------------------------------------------------------------+
>
>
> +----------------------------------------------------------------------------------+
> | Corrected In
> |
>
> |----------------------------------------------------------------------------------|
> | Product | Release
> |
>
> |----------------------+-----------------------------------------------------------|
> | Asterisk Open Source | 1.2.19 and 1.4.4 will be available from
> |
> | | ftp://ftp.digium.com/pub/telephony/asterisk when
> released |
>
> |----------------------+-----------------------------------------------------------|
> | Asterisk Business | B.2.1, will be available from the Asterisk
> Business |
> | Edition | Edition user portal on http://www.digium.com
> or via |
> | | Digium Technical Support when released
> |
>
> |----------------------+-----------------------------------------------------------|
> | AsteriskNOW | Beta 6, when available from
> http://www.asterisknow.org, |
> | | Beta 5 users can use 'System Update' in the
> appliance |
> | | control panel to update their version of
> AsteriskNOW when |
> | | Asterisk 1.4.4 has been released
> |
>
> |----------------------+-----------------------------------------------------------|
> | Asterisk Appliance | 0.4.1, will be available from
> |
> | Developer Kit | ftp://ftp.digium.com/pub/telephony/aadk when
> released |
>
> +----------------------------------------------------------------------------------+
>
>
> +----------------------------------------------------------------------------------+
> | Links | http://bugs.digium.com/view.php?id=9638
> |
>
> +----------------------------------------------------------------------------------+
>
>
> +----------------------------------------------------------------------------------+
> | Asterisk Project Security Advisories are posted at
> |
> | http://www.asterisk.org/security.
> |
> |
> |
> | This document may be superseded by later versions; if so, the latest
> version |
> | will be posted at http://ftp.digium.com/pub/asa/ASA-2007-013.pdf.
> |
>
> +----------------------------------------------------------------------------------+
>
>
> +----------------------------------------------------------------------------------+
> | Revision History
> |
>
> |----------------------------------------------------------------------------------|
> | Date | Editor | Revisions Made
> |
>
> |-------------------+-----------------------------+--------------------------------|
> | May 4, 2007 | kpfleming@xxxxxxxxxx | initial release
> |
>
> +----------------------------------------------------------------------------------+
>
> Asterisk Project Security Advisory - ASA-2007-013
> Copyright (c) 2007 Digium, Inc. All Rights Reserved.
> Permission is hereby granted to distribute and publish this advisory in its
> original,
> unaltered form.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/