ASA-2007-019: Remote crash vulnerability in Skinny channel driver
Asterisk Project Security Advisory - ASA-2007-019
+------------------------------------------------------------------------+
| Product | Asterisk |
|--------------------+---------------------------------------------------|
| Summary | Remote crash vulnerability in Skinny channel |
| | driver |
|--------------------+---------------------------------------------------|
| Nature of Advisory | Denial of Service |
|--------------------+---------------------------------------------------|
| Susceptibility | Remote Authenticated Sessions |
|--------------------+---------------------------------------------------|
| Severity | Moderate |
|--------------------+---------------------------------------------------|
| Exploits Known | No |
|--------------------+---------------------------------------------------|
| Reported On | August 7, 2007 |
|--------------------+---------------------------------------------------|
| Reported By | Wei Wang of McAfee AVERT Labs |
|--------------------+---------------------------------------------------|
| Posted On | August 7, 2007 |
|--------------------+---------------------------------------------------|
| Last Updated On | August 7, 2007 |
|--------------------+---------------------------------------------------|
| Advisory Contact | Jason Parker <jparker@xxxxxxxxxx> |
|--------------------+---------------------------------------------------|
| CVE Name | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | The Asterisk Skinny channel driver, chan_skinny, has a |
| | remotely exploitable crash vulnerability. A segfault can |
| | occur when Asterisk receives a |
| | "CAPABILITIES_RES_MESSAGE" packet where the capabilities |
| | count is greater than the total number of items in the |
| | capabilities_res_message array. Note that this requires |
| | an authenticated session. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | Asterisk code has been modified to limit the incoming |
| | capabilities count. |
| | |
| | Users with configured Skinny devices should upgrade to |
| | the appropriate version listed in the corrected in |
| | section of this advisory. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.0.x | Not affected |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.2.x | Not affected |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.10 |
|----------------------------------+-------------+-----------------------|
| Asterisk Business Edition | A.x.x | Not affected |
|----------------------------------+-------------+-----------------------|
| Asterisk Business Edition | B.x.x | Not affected |
|----------------------------------+-------------+-----------------------|
| AsteriskNOW | pre-release | All versions prior to |
| | | beta7 |
|----------------------------------+-------------+-----------------------|
| Asterisk Appliance Developer Kit | 0.x.x | All versions prior to |
| | | 0.7.0 |
|----------------------------------+-------------+-----------------------|
| s800i (Asterisk Appliance) | 1.0.x | All versions prior to |
| | | 1.0.3 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|---------------+--------------------------------------------------------|
| Asterisk Open | 1.4.10, available from |
| Source | http://downloads.digium.com/pub/telephony/asterisk |
|---------------+--------------------------------------------------------|
| AsteriskNOW | Beta7, available from http://www.asterisknow.org/. |
| | Beta5 and Beta6 users can update using the system |
| | update feature in the appliance control panel. |
|---------------+--------------------------------------------------------|
| Asterisk | 0.7.0, available from |
| Appliance | http://downloads.digium.com/pub/telephony/aadk |
| Developer Kit | |
|---------------+--------------------------------------------------------|
| s800i | 1.0.3 |
| (Asterisk | |
| Appliance) | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Links | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security. |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/asa/ASA-2007-019.pdf and |
| http://downloads.digium.com/pub/asa/ASA-2007-019.html. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|--------------------+------------------------+--------------------------|
| August 7, 2007 | jparker@xxxxxxxxxx | Initial Release |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - ASA-2007-019
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.