<<< Date Index >>>     <<< Thread Index >>>

ASA-2007-016: Remote crash vulnerability in Skinny channel driver



               Asterisk Project Security Advisory - ASA-2007-016

   +------------------------------------------------------------------------+
   |      Product       | Asterisk                                          |
   |--------------------+---------------------------------------------------|
   |      Summary       | Remote crash vulnerability in Skinny channel      |
   |                    | driver                                            |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Denial of Service                                 |
   |--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote Unauthenticated Sessions                   |
   |--------------------+---------------------------------------------------|
   |      Severity      | Critical                                          |
   |--------------------+---------------------------------------------------|
   |   Exploits Known   | No                                                |
   |--------------------+---------------------------------------------------|
   |    Reported On     | July 13, 2007                                     |
   |--------------------+---------------------------------------------------|
   |    Reported By     | Will Drewry, Google Security Team                 |
   |--------------------+---------------------------------------------------|
   |     Posted On      | July 17, 2007                                     |
   |--------------------+---------------------------------------------------|
   |  Last Updated On   | July 17, 2007                                     |
   |--------------------+---------------------------------------------------|
   |  Advisory Contact  | Jason Parker <jparker@xxxxxxxxxx>                 |
   |--------------------+---------------------------------------------------|
   |      CVE Name      | CVE-2007-3764                                     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | The Asterisk Skinny channel driver, chan_skinny, has a   |
   |             | remotely exploitable crash vulnerability. A segfault can |
   |             | occur when Asterisk receives a packet where the claimed  |
   |             | length of the data is between 0 and 3, followed by       |
   |             | length + 4 or more bytes, due to an overly large memcpy. |
   |             | The side effects of this extremely large memcpy have not |
   |             | been investigated.                                       |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | All users that have chan_skinny enabled should upgrade to |
   |            | the appropriate version listed in the corrected in        |
   |            | section of this advisory. As a workaround, users who do   |
   |            | not require chan_skinny may add the line "noload =>       |
   |            | chan_skinny.so" (without quotes) to                       |
   |            | /etc/asterisk/modules.conf, and restart Asterisk.         |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |             Product              |   Release   |                       |
   |                                  |   Series    |                       |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.0.x    | All versions          |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.2.x    | All versions prior to |
   |                                  |             | 1.2.22                |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.4.x    | All versions prior to |
   |                                  |             | 1.4.8                 |
   |----------------------------------+-------------+-----------------------|
   |    Asterisk Business Edition     |    A.x.x    | All versions          |
   |----------------------------------+-------------+-----------------------|
   |    Asterisk Business Edition     |    B.x.x    | All versions prior to |
   |                                  |             | B.2.2.1               |
   |----------------------------------+-------------+-----------------------|
   |           AsteriskNOW            | pre-release | All versions prior to |
   |                                  |             | beta7                 |
   |----------------------------------+-------------+-----------------------|
   | Asterisk Appliance Developer Kit |    0.x.x    | All versions prior to |
   |                                  |             | 0.5.0                 |
   |----------------------------------+-------------+-----------------------|
   |    s800i (Asterisk Appliance)    |    1.0.x    | All versions prior to |
   |                                  |             | 1.0.2                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |      Product       |                      Release                      |
   |--------------------+---------------------------------------------------|
   |   Asterisk Open    |         1.2.22 and 1.4.8, available from          |
   |       Source       |    ftp://ftp.digium.com/pub/telephony/asterisk    |
   |--------------------+---------------------------------------------------|
   | Asterisk Business  |   B.2.2.1, available from the Asterisk Business   |
   |      Edition       |  Edition user portal on http://www.digium.com or  |
   |                    |                                                   |
   |                    |           via Digium Technical Support            |
   |--------------------+---------------------------------------------------|
   |    AsteriskNOW     |               Beta7, available from               |
   |                    |   http://www.asterisknow.org/. Beta5 and Beta6    |
   |                    | users can update using the system update feature  |
   |                    |          in the appliance control panel.          |
   |--------------------+---------------------------------------------------|
   | Asterisk Appliance |               0.5.0, available from               |
   |   Developer Kit    |                                                   |
   |                    |     ftp://ftp.digium.com/pub/telephony/aadk/      |
   |--------------------+---------------------------------------------------|
   |  s800i (Asterisk   |                       1.0.2                       |
   |     Appliance)     |                                                   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links        |                                                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security.                                      |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://ftp.digium.com/pub/asa/ASA-2007-016.pdf.                        |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |       Date        |         Editor          |      Revisions Made      |
   |-------------------+-------------------------+--------------------------|
   | July 17, 2007     | jparker@xxxxxxxxxx      | Initial Release          |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - ASA-2007-016
              Copyright (c) 2007 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.