AST-2008-001: Crash from transfer using BYE with Also header
Asterisk Project Security Advisory - AST-2008-001
+------------------------------------------------------------------------+
| Product | Asterisk |
|---------------------+--------------------------------------------------|
| Summary | Remote Crash Vulnerability in SIP channel driver |
|---------------------+--------------------------------------------------|
| Nature of Advisory | Denial of Service |
|---------------------+--------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|---------------------+--------------------------------------------------|
| Severity | Critical |
|---------------------+--------------------------------------------------|
| Exploits Known | No |
|---------------------+--------------------------------------------------|
| Reported On | December 26, 2007 |
|---------------------+--------------------------------------------------|
| Reported By | Grey VoIP (bugs.digium.com user greyvoip) |
|---------------------+--------------------------------------------------|
| Posted On | January 2, 2008 |
|---------------------+--------------------------------------------------|
| Last Updated On | January 2, 2008 |
|---------------------+--------------------------------------------------|
| Advisory Contact | Joshua Colp <jcolp@xxxxxxxxxx> |
|---------------------+--------------------------------------------------|
| CVE Name | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | The handling of the BYE with Also transfer method was |
| | broken during the development of Asterisk 1.4. If a |
| | transfer attempt is made using this method the system |
| | will immediately crash upon handling the BYE message due |
| | to trying to copy data into a NULL pointer. It is |
| | important to note that a dialog must have already been |
| | established and up in order for this to happen. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | A fix has been added so that the BYE with Also transfer |
| | method now properly allocates and uses the transfer data |
| | structure. It will no longer try to copy data into a NULL |
| | pointer and will operate properly. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+-------------+-----------------------------|
| Asterisk Open Source | 1.0.x | Unaffected |
|----------------------------+-------------+-----------------------------|
| Asterisk Open Source | 1.2.x | Unaffected |
|----------------------------+-------------+-----------------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.17 |
|----------------------------+-------------+-----------------------------|
| Asterisk Business Edition | A.x.x | Unaffected |
|----------------------------+-------------+-----------------------------|
| Asterisk Business Edition | B.x.x | Unaffected |
|----------------------------+-------------+-----------------------------|
| Asterisk Business Edition | C.x.x | All versions prior to |
| | | C.1.0-beta8 |
|----------------------------+-------------+-----------------------------|
| AsteriskNOW | pre-release | All versions prior to beta7 |
|----------------------------+-------------+-----------------------------|
| Asterisk Appliance | SVN | All versions prior to |
| Developer Kit | | Asterisk 1.4 revision 95946 |
|----------------------------+-------------+-----------------------------|
| s800i (Asterisk Appliance) | 1.0.x | All versions prior to |
| | | 1.0.3.4 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|---------------+--------------------------------------------------------|
| Asterisk Open | 1.4.17, available from |
| Source | http://downloads.digium.com/pub/telephony/asterisk |
|---------------+--------------------------------------------------------|
| Asterisk | C.1.0 |
| Business | |
| Edition | |
|---------------+--------------------------------------------------------|
| AsteriskNOW | Beta7, available from http://www.asterisknow.org/. |
| | |
| | Beta5 and Beta6 users can update using the system |
| | update feature in the appliance control panel. |
|---------------+--------------------------------------------------------|
| Asterisk | Asterisk 1.4 revision 95946. Available by performing |
| Appliance | an svn update of the AADK tree. |
| Developer Kit | |
|---------------+--------------------------------------------------------|
| s800i | 1.0.3.4 |
| (Asterisk | |
| Appliance) | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Links | http://bugs.digium.com/view.php?id=11637 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2008-001.pdf and |
| http://downloads.digium.com/pub/security/AST-2008-001.html |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|------------------+--------------------+--------------------------------|
| 2008-01-02 | Joshua Colp | Initial Release |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - AST-2008-001
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.