<<< Date Index >>>     <<< Thread Index >>>

ASA-2007-015: Remote Crash Vulnerability in IAX2 channel driver



               Asterisk Project Security Advisory - ASA-2007-015

   +------------------------------------------------------------------------+
   |      Product       | Asterisk                                          |
   |--------------------+---------------------------------------------------|
   |      Summary       | Remote Crash Vulnerability in IAX2 channel driver |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Denial of Service                                 |
   |--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote Unauthenticated Sessions                   |
   |--------------------+---------------------------------------------------|
   |      Severity      | Critical                                          |
   |--------------------+---------------------------------------------------|
   |   Exploits Known   | No                                                |
   |--------------------+---------------------------------------------------|
   |    Reported On     | July 13, 2007                                     |
   |--------------------+---------------------------------------------------|
   |    Reported By     | Chris Clark and Zane Lackey, iSEC Partners        |
   |--------------------+---------------------------------------------------|
   |     Posted On      | July 17, 2007                                     |
   |--------------------+---------------------------------------------------|
   |  Last Updated On   | July 17, 2007                                     |
   |--------------------+---------------------------------------------------|
   |  Advisory Contact  | Russell Bryant <russell@xxxxxxxxxx>               |
   |--------------------+---------------------------------------------------|
   |      CVE Name      | CVE-2007-3763                                     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | The Asterisk IAX2 channel driver, chan_iax2, has a       |
   |             | remotely exploitable crash vulnerability. A NULL pointer |
   |             | exception can occur when Asterisk receives a LAGRQ or    |
   |             | LAGRP frame that is part of a valid session and includes |
   |             | information elements. The session used to exploit this   |
   |             | issue does not have to be authenticated. It can simply   |
   |             | be a NEW packet sent with an invalid username.           |
   |             |                                                          |
   |             | The code that parses the incoming frame correctly parses |
   |             | the information elements of IAX frames. It then sets a   |
   |             | pointer to NULL to indicate that there is not a raw data |
   |             | payload associated with this frame. However, it does not |
   |             | set the variable that indicates the number of bytes in   |
   |             | the raw payload back to zero. Since the raw data length  |
   |             | is non-zero, the code handling LAGRQ and LAGRP frames    |
   |             | tries to copy data from a NULL pointer, causing a crash. |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | All users that have chan_iax2 enabled should upgrade to   |
   |            | the appropriate version listed in the corrected in        |
   |            | section of this advisory.                                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |             Product              |   Release   |                       |
   |                                  |   Series    |                       |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.0.x    | All versions          |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.2.x    | All versions prior to |
   |                                  |             | 1.2.22                |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.4.x    | All versions prior to |
   |                                  |             | 1.4.8                 |
   |----------------------------------+-------------+-----------------------|
   |    Asterisk Business Edition     |    A.x.x    | All versions          |
   |----------------------------------+-------------+-----------------------|
   |    Asterisk Business Edition     |    B.x.x    | All versions prior to |
   |                                  |             | B.2.2.1               |
   |----------------------------------+-------------+-----------------------|
   |           AsteriskNOW            | pre-release | All versions prior to |
   |                                  |             | beta7                 |
   |----------------------------------+-------------+-----------------------|
   | Asterisk Appliance Developer Kit |    0.x.x    | All versions prior to |
   |                                  |             | 0.5.0                 |
   |----------------------------------+-------------+-----------------------|
   |    s800i (Asterisk Appliance)    |    1.0.x    | All versions prior to |
   |                                  |             | 1.0.2                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |      Product      |                      Release                       |
   |-------------------+----------------------------------------------------|
   |   Asterisk Open   |          1.2.22 and 1.4.8, available from          |
   |      Source       |    ftp://ftp.digium.com/pub/telephony/asterisk     |
   |-------------------+----------------------------------------------------|
   | Asterisk Business |   B.2.2.1, available from the Asterisk Business    |
   |      Edition      |  Edition user portal on http://www.digium.com or   |
   |                   |                                                    |
   |                   |            via Digium Technical Support            |
   |-------------------+----------------------------------------------------|
   |    AsteriskNOW    | Beta7, available from http://www.asterisknow.org/. |
   |                   | Beta5 and Beta6 users can update using the system  |
   |                   |   update feature in the appliance control panel.   |
   |-------------------+----------------------------------------------------|
   |     Asterisk      |               0.5.0, available from                |
   |     Appliance     |                                                    |
   |   Developer Kit   |      ftp://ftp.digium.com/pub/telephony/aadk/      |
   |-------------------+----------------------------------------------------|
   |  s800i (Asterisk  |                       1.0.2                        |
   |    Appliance)     |                                                    |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links        |                                                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security.                                      |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://ftp.digium.com/pub/asa/ASA-2007-015.pdf.                        |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |       Date        |         Editor          |      Revisions Made      |
   |-------------------+-------------------------+--------------------------|
   | July 17, 2007     | russell@xxxxxxxxxx      | Initial Release          |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - ASA-2007-015
              Copyright (c) 2007 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.