Asterisk Security Team
2008-Mar-18 23:26 UTC
[asterisk-announce] AST-2008-002: Two buffer overflows in RTP Codec Payload Handling
Asterisk Project Security Advisory - AST-2008-002 +------------------------------------------------------------------------+ | Product | Asterisk | |--------------------+---------------------------------------------------| | Summary | Two buffer overflows in RTP Codec Payload | | | Handling | |--------------------+---------------------------------------------------| | Nature of Advisory | Exploitable Buffer Overflow | |--------------------+---------------------------------------------------| | Susceptibility | Remote Unauthenticated Sessions | |--------------------+---------------------------------------------------| | Severity | Critical | |--------------------+---------------------------------------------------| | Exploits Known | No | |--------------------+---------------------------------------------------| | Reported On | March 11, 2008 | |--------------------+---------------------------------------------------| | Reported By | Mu Security Research Team | |--------------------+---------------------------------------------------| | Posted On | March 18, 2008 | |--------------------+---------------------------------------------------| | Last Updated On | March 18, 2008 | |--------------------+---------------------------------------------------| | Advisory Contact | Joshua Colp <jcolp at digium.com> | |--------------------+---------------------------------------------------| | CVE Name | CVE-2008-1289 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Description | Two buffer overflows exist in the RTP payload handling | | | code of Asterisk. Both overflows can be caused by an | | | INVITE or any other SIP packet with SDP. The request may | | | need to be authenticated depending on configuration of | | | the Asterisk installation. | | | | | | The first overflow is caused by sending a payload number | | | that surpasses the programmed maximum payload number of | | | 256. This causes an invalid memory write outside of the | | | buffer. While this does not allow the attacker to write | | | arbitrary data it does allow the attacker to write a 0 | | | to other memory locations. | | | | | | The second overflow is caused by sending more than 32 | | | RTP payloads. This causes a buffer on the stack to | | | overflow allowing the attacker to write values between 0 | | | and 256 (the maximum payload number) to memory locations | | | after the buffer. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Resolution | Two fixes have been added to check the provided data to | | | ensure it does not exceed static buffer sizes. | | | | | | When removing internal information regarding an RTP | | | payload the given payload number will now be checked to | | | make sure it does not exceed the maximum acceptable | | | payload number. | | | | | | When reading RTP payloads from SDP a maximum limit of 32 | | | in total will be enforced. Any further RTP payloads will | | | be discarded. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Affected Versions | |------------------------------------------------------------------------| | Product | Release | | | | Series | | |----------------------------+---------+---------------------------------| | Asterisk Open Source | 1.0.x | Unaffected | |----------------------------+---------+---------------------------------| | Asterisk Open Source | 1.2.x | Unaffected | |----------------------------+---------+---------------------------------| | Asterisk Open Source | 1.4.x | All versions prior to 1.4.18.1 | | | | and 1.4.19-rc3 | |----------------------------+---------+---------------------------------| | Asterisk Open Source | 1.6.x | All versions prior to | | | | 1.6.0-beta6 | |----------------------------+---------+---------------------------------| | Asterisk Business Edition | A.x.x | Unaffected | |----------------------------+---------+---------------------------------| | Asterisk Business Edition | B.x.x | Unaffected | |----------------------------+---------+---------------------------------| | Asterisk Business Edition | C.x.x | All versions prior to C.1.6.1 | |----------------------------+---------+---------------------------------| | AsteriskNOW | 1.0.x | All versions prior to 1.0.2 | |----------------------------+---------+---------------------------------| | Asterisk Appliance | SVN | All versions prior to Asterisk | | Developer Kit | | 1.4 revision 109386 | |----------------------------+---------+---------------------------------| | s800i (Asterisk Appliance) | 1.1.x | All versions prior to 1.1.0.2 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Corrected In | |------------------------------------------------------------------------| | Product | Release | |---------------+--------------------------------------------------------| | Asterisk Open | 1.4.18.1/1.4.19-rc3/1.6.0-beta6, available from | | Source | http://downloads.digium.com/pub/telephony/asterisk | |---------------+--------------------------------------------------------| | Asterisk | C.1.6.1 | | Business | | | Edition | | |---------------+--------------------------------------------------------| | AsteriskNOW | 1.0.2, available from http://www.asterisknow.org/ | | | | | | Current users can update using the system update | | | feature in the appliance control panel. | |---------------+--------------------------------------------------------| | Asterisk | Asterisk 1.4 revision 109386. Available by performing | | Appliance | an svn update of the AADK tree. | | Developer Kit | | |---------------+--------------------------------------------------------| | s800i | 1.1.0.2 | | (Asterisk | | | Appliance) | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Links | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/security/AST-2008-002.pdf and | | http://downloads.digium.com/pub/security/AST-2008-002.html | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Revision History | |------------------------------------------------------------------------| | Date | Editor | Revisions Made | |------------------+--------------------+--------------------------------| | 2008-03-18 | Joshua Colp | Initial Release | +------------------------------------------------------------------------+ Asterisk Project Security Advisory - AST-2008-002 Copyright (c) 2008 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.