<<< Date Index >>>     <<< Thread Index >>>

AST-2008-004: Format String Vulnerability in Logger and Manager



               Asterisk Project Security Advisory - AST-2008-004

   +------------------------------------------------------------------------+
   |      Product       | Asterisk                                          |
   |--------------------+---------------------------------------------------|
   |      Summary       | Format String Vulnerability in Logger and Manager |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Denial of Service                                 |
   |--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote Unauthenticated Sessions                   |
   |--------------------+---------------------------------------------------|
   |      Severity      | Moderate                                          |
   |--------------------+---------------------------------------------------|
   |   Exploits Known   | No                                                |
   |--------------------+---------------------------------------------------|
   |    Reported On     | March 13, 2008                                    |
   |--------------------+---------------------------------------------------|
   |    Reported By     | Steve Davies (bugs.digium.com user stevedavies)   |
   |                    |                                                   |
   |                    | Brandon Kruse (bugs.digium.com user bkruse)       |
   |--------------------+---------------------------------------------------|
   |     Posted On      | March 18, 2008                                    |
   |--------------------+---------------------------------------------------|
   |  Last Updated On   | March 18, 2008                                    |
   |--------------------+---------------------------------------------------|
   |  Advisory Contact  | Joshua Colp <jcolp@xxxxxxxxxx>                    |
   |--------------------+---------------------------------------------------|
   |      CVE Name      | CVE-2008-1333                                     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | Logging messages displayed using the ast_verbose logging |
   |             | API call are not displayed as a character string, they   |
   |             | are displayed as a format string.                        |
   |             |                                                          |
   |             | Output as a result of the Manager command "command" is   |
   |             | not appended to the resulting response message as a      |
   |             | character string, it is appended as a format string.     |
   |             |                                                          |
   |             | It is possible in both instances for an attacker to      |
   |             | provide a formatted string as a value for input which    |
   |             | can cause a crash.                                       |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | Input given to both the ast_verbose logging API call and  |
   |            | astman_append function is now interpreted as a character  |
   |            | string and not as a format string.                        |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |          Product           | Release |                                 |
   |                            | Series  |                                 |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.0.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.2.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.4.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.6.x  | All versions prior to           |
   |                            |         | 1.6.0-beta6                     |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  |  A.x.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  |  B.x.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  |  C.x.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   |        AsteriskNOW         |  1.0.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   |     Asterisk Appliance     |  0.x.x  | Unaffected                      |
   |       Developer Kit        |         |                                 |
   |----------------------------+---------+---------------------------------|
   | s800i (Asterisk Appliance) |  1.0.x  | Unaffected                      |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |    Product    |                        Release                         |
   |---------------+--------------------------------------------------------|
   | Asterisk Open |              1.6.0-beta6, available from               |
   |    Source     |   http://downloads.digium.com/pub/telephony/asterisk   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |      Links       | http://bugs.digium.com/view.php?id=12205            |
   |                  |                                                     |
   |                  | http://bugs.digium.com/view.php?id=12206            |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2008-004.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2008-004.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |       Date       |       Editor       |         Revisions Made         |
   |------------------+--------------------+--------------------------------|
   | 2008-03-18       | Joshua Colp        | Initial Release                |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2008-004
              Copyright (c) 2008 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.