ASA-2007-017: Remote Crash Vulnerability in STUN implementation
Asterisk Project Security Advisory - ASA-2007-017
+------------------------------------------------------------------------+
| Product | Asterisk |
|--------------------+---------------------------------------------------|
| Summary | Remote Crash Vulnerability in STUN implementation |
|--------------------+---------------------------------------------------|
| Nature of Advisory | Denial of Service |
|--------------------+---------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|--------------------+---------------------------------------------------|
| Severity | Critical |
|--------------------+---------------------------------------------------|
| Exploits Known | No |
|--------------------+---------------------------------------------------|
| Reported On | July 13, 2007 |
|--------------------+---------------------------------------------------|
| Reported By | Will Drewry, Google Security Team |
|--------------------+---------------------------------------------------|
| Posted On | July 17, 2007 |
|--------------------+---------------------------------------------------|
| Last Updated On | July 17, 2007 |
|--------------------+---------------------------------------------------|
| Advisory Contact | Joshua Colp <jcolp@xxxxxxxxxx> |
|--------------------+---------------------------------------------------|
| CVE Name | CVE-2007-3765 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | The Asterisk STUN implementation in the RTP stack has a |
| | remotely exploitable crash vulnerability. A pointer may |
| | run past accessible memory if Asterisk receives a |
| | specially crafted STUN packet on an active RTP port. |
| | |
| | The code that parses the incoming STUN packets |
| | incorrectly checks that the length indicated in the STUN |
| | attribute and the size of the STUN attribute header does |
| | not exceed the available data. This will cause the data |
| | pointer to run past accessible memory and when accessed |
| | will cause a crash. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | All users that have chan_sip, chan_gtalk, chan_jingle, |
| | chan_h323, chan_mgcp, or chan_skinny enabled on an |
| | affected version should upgrade to the appropriate |
| | version listed in the correct in section of this |
| | advisory. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.0.x | None affected |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.2.x | None affected |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.8 |
|----------------------------------+-------------+-----------------------|
| Asterisk Business Edition | A.x.x | None affected |
|----------------------------------+-------------+-----------------------|
| Asterisk Business Edition | B.x.x | None affected |
|----------------------------------+-------------+-----------------------|
| AsteriskNOW | pre-release | All versions prior to |
| | | beta7 |
|----------------------------------+-------------+-----------------------|
| Asterisk Appliance Developer Kit | 0.x.x | All versions prior to |
| | | 0.5.0 |
|----------------------------------+-------------+-----------------------|
| s800i (Asterisk Appliance) | 1.0.x | All versions prior to |
| | | 1.0.2 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|-----------------+------------------------------------------------------|
| Asterisk Open | 1.4.8 available from |
| Source | ftp://ftp.digium.com/pub/telephony/asterisk |
|-----------------+------------------------------------------------------|
| AsteriskNOW | Beta7, available from http://www.asterisknow.org/. |
| | Beta5 and Beta6 users can update using the system |
| | update feature in the appliance control panel. |
|-----------------+------------------------------------------------------|
| Asterisk | 0.5.0, available from |
| Appliance | ftp://ftp.digium.com/pub/telephony/aadk/ |
| Developer Kit | |
|-----------------+------------------------------------------------------|
| s800i (Asterisk | 1.0.2 |
| Appliance) | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Links | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security. |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://ftp.digium.com/pub/asa/ASA-2007-017.pdf. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|--------------------+-----------------------+---------------------------|
| July 17, 2006 | jcolp@xxxxxxxxxx | Initial Release |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - ASA-2007-017
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.