[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] AST-2009-005: Remote Crash Vulnerability in SIP channel driver



               Asterisk Project Security Advisory - AST-2009-005

   +------------------------------------------------------------------------+
   |       Product       | Asterisk                                         |
   |---------------------+--------------------------------------------------|
   |       Summary       | Remote Crash Vulnerability in SIP channel driver |
   |---------------------+--------------------------------------------------|
   | Nature of Advisory  | Denial of Service                                |
   |---------------------+--------------------------------------------------|
   |   Susceptibility    | Remote Unauthenticated Sessions                  |
   |---------------------+--------------------------------------------------|
   |      Severity       | Critical in 1.6.1; minor in lesser versions      |
   |---------------------+--------------------------------------------------|
   |   Exploits Known    | No                                               |
   |---------------------+--------------------------------------------------|
   |     Reported On     | July 28, 2009                                    |
   |---------------------+--------------------------------------------------|
   |     Reported By     | Nick Baggott < nbaggott AT mudynamics DOT com >  |
   |---------------------+--------------------------------------------------|
   |      Posted On      | August 10, 2009                                  |
   |---------------------+--------------------------------------------------|
   |   Last Updated On   | August 10, 2009                                  |
   |---------------------+--------------------------------------------------|
   |  Advisory Contact   | Tilghman Lesher < tlesher AT digium DOT com >    |
   |---------------------+--------------------------------------------------|
   |      CVE Name       | CVE-2009-2726                                    |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | On certain implementations of libc, the scanf family of  |
   |             | functions uses an unbounded amount of stack memory to    |
   |             | repeatedly allocate string buffers prior to conversion   |
   |             | to the target type. Coupled with Asterisk's allocation   |
   |             | of thread stack sizes that are smaller than the default, |
   |             | an attacker may exhaust stack memory in the SIP stack    |
   |             | network thread by presenting excessively long numeric    |
   |             | strings in various fields.                               |
   |             |                                                          |
   |             | Note that while this potential vulnerability has existed |
   |             | in Asterisk for a very long time, it is only potentially |
   |             | exploitable in 1.6.1 and above, since those versions are |
   |             | the first that have allowed SIP packets to exceed 1500   |
   |             | bytes total, which does not permit strings that are      |
   |             | large enough to crash Asterisk. (The number strings      |
   |             | presented to us by the security researcher were          |
   |             | approximately 32,000 bytes long.)                        |
   |             |                                                          |
   |             | Additionally note that while this can crash Asterisk,    |
   |             | execution of arbitrary code is not possible with this    |
   |             | vector.                                                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |  Resolution  | Upgrade Asterisk to one of the releases listed below.   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |          Product           |  Release   |                              |
   |                            |   Series   |                              |
   |----------------------------+------------+------------------------------|
   |    Asterisk Open Source    |   1.2.x    | All versions prior to 1.2.34 |
   |----------------------------+------------+------------------------------|
   |    Asterisk Open Source    |   1.4.x    | All versions prior to        |
   |                            |            | 1.4.26.1                     |
   |----------------------------+------------+------------------------------|
   |    Asterisk Open Source    |  1.6.0.x   | All versions prior to        |
   |                            |            | 1.6.0.12                     |
   |----------------------------+------------+------------------------------|
   |    Asterisk Open Source    |  1.6.1.x   | All versions prior to        |
   |                            |            | 1.6.1.4                      |
   |----------------------------+------------+------------------------------|
   |      Asterisk Addons       |   1.2.x    | Not affected                 |
   |----------------------------+------------+------------------------------|
   |      Asterisk Addons       |   1.4.x    | Not affected                 |
   |----------------------------+------------+------------------------------|
   |      Asterisk Addons       |  1.6.0.x   | Not affected                 |
   |----------------------------+------------+------------------------------|
   |      Asterisk Addons       |  1.6.1.x   | Not affected                 |
   |----------------------------+------------+------------------------------|
   | Asterisk Business Edition  |   A.x.x    | All versions                 |
   |----------------------------+------------+------------------------------|
   | Asterisk Business Edition  |   B.x.x    | All versions prior to        |
   |                            |            | B.2.5.9                      |
   |----------------------------+------------+------------------------------|
   | Asterisk Business Edition  |   C.2.x    | All versions prior to        |
   |                            |            | C.2.4.1                      |
   |----------------------------+------------+------------------------------|
   | Asterisk Business Edition  |   C.3.x    | All versions prior to C.3.1  |
   |----------------------------+------------+------------------------------|
   |        AsteriskNOW         |    1.5     | Not affected                 |
   |----------------------------+------------+------------------------------|
   | s800i (Asterisk Appliance) |   1.2.x    | All versions prior to        |
   |                            |            | 1.3.0.3                      |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |                   Product                   |         Release          |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |          1.2.34          |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |         1.4.26.1         |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |         1.6.0.12         |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |         1.6.1.4          |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         B.2.5.9          |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         C.2.4.1          |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |          C.3.1           |
   |---------------------------------------------+--------------------------|
   |         s800i (Asterisk Appliance)          |         1.3.0.3          |
   +------------------------------------------------------------------------+

   +---------------------------------------------------------------------------+
   |                                  Patches                                  |
   |---------------------------------------------------------------------------|
   |                                Link                                |Branch|
   |--------------------------------------------------------------------+------|
   |http://downloads.digium.com/pub/security/AST-2009-005-1.2.diff.txt  |1.2   |
   |--------------------------------------------------------------------+------|
   |http://downloads.digium.com/pub/security/AST-2009-005-1.4.diff.txt  |1.4   |
   |--------------------------------------------------------------------+------|
   |http://downloads.digium.com/pub/security/AST-2009-005-trunk.diff.txt|trunk |
   |--------------------------------------------------------------------+------|
   |http://downloads.digium.com/pub/security/AST-2009-005-1.6.0.diff.txt|1.6.0 |
   |--------------------------------------------------------------------+------|
   |http://downloads.digium.com/pub/security/AST-2009-005-1.6.1.diff.txt|1.6.1 |
   |--------------------------------------------------------------------+------|
   |http://downloads.digium.com/pub/security/AST-2009-005-1.6.2.diff.txt|1.6.2 |
   +---------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |   Links   | http://labs.mudynamics.com/advisories/MU-200908-01.txt     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2009-005.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2009-005.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |        Date         |        Editor        |      Revisions Made       |
   |---------------------+----------------------+---------------------------|
   | August 10, 2009     | Tilghman Lesher      | Initial release           |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2009-005
              Copyright (c) 2009 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/