<<< Date Index >>>     <<< Thread Index >>>

AST-2008-012: Remote crash vulnerability in IAX2



               Asterisk Project Security Advisory - AST-2008-012

   +------------------------------------------------------------------------+
   |       Product        | Asterisk                                        |
   |----------------------+-------------------------------------------------|
   |       Summary        | Remote crash vulnerability in IAX2              |
   |----------------------+-------------------------------------------------|
   |  Nature of Advisory  | Remote Crash                                    |
   |----------------------+-------------------------------------------------|
   |    Susceptibility    | Remote Unauthenticated Sessions                 |
   |----------------------+-------------------------------------------------|
   |       Severity       | Major                                           |
   |----------------------+-------------------------------------------------|
   |    Exploits Known    | No                                              |
   |----------------------+-------------------------------------------------|
   |     Reported On      | November 22, 2008                               |
   |----------------------+-------------------------------------------------|
   |     Reported By      |Jon Leren Scho/pzinsky                           |
   |----------------------+-------------------------------------------------|
   |      Posted On       |                                                 |
   |----------------------+-------------------------------------------------|
   |   Last Updated On    | December 9, 2008                                |
   |----------------------+-------------------------------------------------|
   |   Advisory Contact   | Mark Michelson <mmichelson AT digium DOT com>   |
   |----------------------+-------------------------------------------------|
   |       CVE Name       |                                                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | There is a possibility to remotely crash an Asterisk     |
   |             | server if the server is configured to use realtime IAX2  |
   |             | users. The issue occurs if either an unknown user        |
   |             | attempts to authenticate or if a user that uses hostname |
   |             | matching attempts to authenticate.                       |
   |             |                                                          |
   |             | The problem was due to a broken function call to         |
   |             | Asterisk's realtime configuration API.                   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |   Resolution    | The function calls in question have been fixed.      |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |             Product             | Release Series |                     |
   |---------------------------------+----------------+---------------------|
   |      Asterisk Open Source       |     1.2.x      | 1.2.26-1.2.30.3     |
   |---------------------------------+----------------+---------------------|
   |      Asterisk Open Source       |     1.4.x      | Unaffected          |
   |---------------------------------+----------------+---------------------|
   |      Asterisk Open Source       |     1.6.x      | Unaffected          |
   |---------------------------------+----------------+---------------------|
   |         Asterisk Addons         |     1.2.x      | Unaffected          |
   |---------------------------------+----------------+---------------------|
   |         Asterisk Addons         |     1.4.x      | Unaffected          |
   |---------------------------------+----------------+---------------------|
   |         Asterisk Addons         |     1.6.x      | Unaffected          |
   |---------------------------------+----------------+---------------------|
   |    Asterisk Business Edition    |     A.x.x      | Unaffected          |
   |---------------------------------+----------------+---------------------|
   |    Asterisk Business Edition    |     B.x.x      | B.2.3.5-B.2.5.5     |
   |---------------------------------+----------------+---------------------|
   |    Asterisk Business Edition    |     C.x.x      | Unaffected          |
   |---------------------------------+----------------+---------------------|
   |           AsteriskNOW           |      1.5       | Unaffected          |
   |---------------------------------+----------------+---------------------|
   |   s800i (Asterisk Appliance)    |     1.2.x      | Unaffected          |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |                  Product                   |          Release          |
   |--------------------------------------------+---------------------------|
   |            Asterisk Open Source            |         1.2.30.4          |
   |--------------------------------------------+---------------------------|
   |         Asterisk Business Edition          |          B.2.5.6          |
   |--------------------------------------------+---------------------------|
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links        |                                                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2008-012.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2008-012.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |        Date        |     Editor      |         Revisions Made          |
   |--------------------+-----------------+---------------------------------|
   | November 23, 2008  | Mark Michelson  | Initial draft                   |
   |--------------------+-----------------+---------------------------------|
   | December 9, 2008   | Mark Michelson  | Added "Corrected In" versions   |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2008-012
              Copyright (c) 2008 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.