<<< Date Index >>>     <<< Thread Index >>>

ASA-2007-017: Remote Crash Vulnerability in STUN implementation



               Asterisk Project Security Advisory - ASA-2007-017

   +------------------------------------------------------------------------+
   |      Product       | Asterisk                                          |
   |--------------------+---------------------------------------------------|
   |      Summary       | Remote Crash Vulnerability in STUN implementation |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Denial of Service                                 |
   |--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote Unauthenticated Sessions                   |
   |--------------------+---------------------------------------------------|
   |      Severity      | Critical                                          |
   |--------------------+---------------------------------------------------|
   |   Exploits Known   | No                                                |
   |--------------------+---------------------------------------------------|
   |    Reported On     | July 13, 2007                                     |
   |--------------------+---------------------------------------------------|
   |    Reported By     | Will Drewry, Google Security Team                 |
   |--------------------+---------------------------------------------------|
   |     Posted On      | July 17, 2007                                     |
   |--------------------+---------------------------------------------------|
   |  Last Updated On   | July 17, 2007                                     |
   |--------------------+---------------------------------------------------|
   |  Advisory Contact  | Joshua Colp <jcolp@xxxxxxxxxx>                    |
   |--------------------+---------------------------------------------------|
   |      CVE Name      | CVE-2007-3765                                     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | The Asterisk STUN implementation in the RTP stack has a  |
   |             | remotely exploitable crash vulnerability. A pointer may  |
   |             | run past accessible memory if Asterisk receives a        |
   |             | specially crafted STUN packet on an active RTP port.     |
   |             |                                                          |
   |             | The code that parses the incoming STUN packets           |
   |             | incorrectly checks that the length indicated in the STUN |
   |             | attribute and the size of the STUN attribute header does |
   |             | not exceed the available data. This will cause the data  |
   |             | pointer to run past accessible memory and when accessed  |
   |             | will cause a crash.                                      |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | All users that have chan_sip, chan_gtalk, chan_jingle,    |
   |            | chan_h323, chan_mgcp, or chan_skinny enabled on an        |
   |            | affected version should upgrade to the appropriate        |
   |            | version listed in the correct in section of this          |
   |            | advisory.                                                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |             Product              |   Release   |                       |
   |                                  |   Series    |                       |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.0.x    | None affected         |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.2.x    | None affected         |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.4.x    | All versions prior to |
   |                                  |             | 1.4.8                 |
   |----------------------------------+-------------+-----------------------|
   |    Asterisk Business Edition     |    A.x.x    | None affected         |
   |----------------------------------+-------------+-----------------------|
   |    Asterisk Business Edition     |    B.x.x    | None affected         |
   |----------------------------------+-------------+-----------------------|
   |           AsteriskNOW            | pre-release | All versions prior to |
   |                                  |             | beta7                 |
   |----------------------------------+-------------+-----------------------|
   | Asterisk Appliance Developer Kit |    0.x.x    | All versions prior to |
   |                                  |             | 0.5.0                 |
   |----------------------------------+-------------+-----------------------|
   |    s800i (Asterisk Appliance)    |    1.0.x    | All versions prior to |
   |                                  |             | 1.0.2                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |     Product     |                       Release                        |
   |-----------------+------------------------------------------------------|
   |  Asterisk Open  |                 1.4.8 available from                 |
   |     Source      |     ftp://ftp.digium.com/pub/telephony/asterisk      |
   |-----------------+------------------------------------------------------|
   |   AsteriskNOW   |  Beta7, available from http://www.asterisknow.org/.  |
   |                 |  Beta5 and Beta6 users can update using the system   |
   |                 |    update feature in the appliance control panel.    |
   |-----------------+------------------------------------------------------|
   |    Asterisk     |                0.5.0, available from                 |
   |    Appliance    |       ftp://ftp.digium.com/pub/telephony/aadk/       |
   |  Developer Kit  |                                                      |
   |-----------------+------------------------------------------------------|
   | s800i (Asterisk |                        1.0.2                         |
   |   Appliance)    |                                                      |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links        |                                                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security.                                      |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://ftp.digium.com/pub/asa/ASA-2007-017.pdf.                        |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |        Date        |        Editor         |      Revisions Made       |
   |--------------------+-----------------------+---------------------------|
   | July 17, 2006      | jcolp@xxxxxxxxxx      | Initial Release           |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - ASA-2007-017
              Copyright (c) 2007 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.