Asterisk Security Team
2008-Jan-02 21:57 UTC
[asterisk-announce] AST-2008-001: Crash from transfer using BYE with Also header
Asterisk Project Security Advisory - AST-2008-001 +------------------------------------------------------------------------+ | Product | Asterisk | |---------------------+--------------------------------------------------| | Summary | Remote Crash Vulnerability in SIP channel driver | |---------------------+--------------------------------------------------| | Nature of Advisory | Denial of Service | |---------------------+--------------------------------------------------| | Susceptibility | Remote Unauthenticated Sessions | |---------------------+--------------------------------------------------| | Severity | Critical | |---------------------+--------------------------------------------------| | Exploits Known | No | |---------------------+--------------------------------------------------| | Reported On | December 26, 2007 | |---------------------+--------------------------------------------------| | Reported By | Grey VoIP (bugs.digium.com user greyvoip) | |---------------------+--------------------------------------------------| | Posted On | January 2, 2008 | |---------------------+--------------------------------------------------| | Last Updated On | January 2, 2008 | |---------------------+--------------------------------------------------| | Advisory Contact | Joshua Colp <jcolp at digium.com> | |---------------------+--------------------------------------------------| | CVE Name | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Description | The handling of the BYE with Also transfer method was | | | broken during the development of Asterisk 1.4. If a | | | transfer attempt is made using this method the system | | | will immediately crash upon handling the BYE message due | | | to trying to copy data into a NULL pointer. It is | | | important to note that a dialog must have already been | | | established and up in order for this to happen. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Resolution | A fix has been added so that the BYE with Also transfer | | | method now properly allocates and uses the transfer data | | | structure. It will no longer try to copy data into a NULL | | | pointer and will operate properly. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Affected Versions | |------------------------------------------------------------------------| | Product | Release | | | | Series | | |----------------------------+-------------+-----------------------------| | Asterisk Open Source | 1.0.x | Unaffected | |----------------------------+-------------+-----------------------------| | Asterisk Open Source | 1.2.x | Unaffected | |----------------------------+-------------+-----------------------------| | Asterisk Open Source | 1.4.x | All versions prior to | | | | 1.4.17 | |----------------------------+-------------+-----------------------------| | Asterisk Business Edition | A.x.x | Unaffected | |----------------------------+-------------+-----------------------------| | Asterisk Business Edition | B.x.x | Unaffected | |----------------------------+-------------+-----------------------------| | Asterisk Business Edition | C.x.x | All versions prior to | | | | C.1.0-beta8 | |----------------------------+-------------+-----------------------------| | AsteriskNOW | pre-release | All versions prior to beta7 | |----------------------------+-------------+-----------------------------| | Asterisk Appliance | SVN | All versions prior to | | Developer Kit | | Asterisk 1.4 revision 95946 | |----------------------------+-------------+-----------------------------| | s800i (Asterisk Appliance) | 1.0.x | All versions prior to | | | | 1.0.3.4 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Corrected In | |------------------------------------------------------------------------| | Product | Release | |---------------+--------------------------------------------------------| | Asterisk Open | 1.4.17, available from | | Source | http://downloads.digium.com/pub/telephony/asterisk | |---------------+--------------------------------------------------------| | Asterisk | C.1.0 | | Business | | | Edition | | |---------------+--------------------------------------------------------| | AsteriskNOW | Beta7, available from http://www.asterisknow.org/. | | | | | | Beta5 and Beta6 users can update using the system | | | update feature in the appliance control panel. | |---------------+--------------------------------------------------------| | Asterisk | Asterisk 1.4 revision 95946. Available by performing | | Appliance | an svn update of the AADK tree. | | Developer Kit | | |---------------+--------------------------------------------------------| | s800i | 1.0.3.4 | | (Asterisk | | | Appliance) | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Links | http://bugs.digium.com/view.php?id=11637 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/security/AST-2008-001.pdf and | | http://downloads.digium.com/pub/security/AST-2008-001.html | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Revision History | |------------------------------------------------------------------------| | Date | Editor | Revisions Made | |------------------+--------------------+--------------------------------| | 2008-01-02 | Joshua Colp | Initial Release | +------------------------------------------------------------------------+ Asterisk Project Security Advisory - AST-2008-001 Copyright (c) 2007 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.