Asterisk Security Team
2008-Jul-22 23:15 UTC
[asterisk-users] AST-2008-010: Asterisk IAX 'POKE' resource exhaustion
Asterisk Project Security Advisory - AST-2008-010 +------------------------------------------------------------------------+ | Product | Asterisk | |----------------------+-------------------------------------------------| | Summary | Asterisk IAX 'POKE' resource exhaustion | |----------------------+-------------------------------------------------| | Nature of Advisory | Denial of service | |----------------------+-------------------------------------------------| | Susceptibility | Remote Unauthenticated Sessions | |----------------------+-------------------------------------------------| | Severity | Critical | |----------------------+-------------------------------------------------| | Exploits Known | Yes | |----------------------+-------------------------------------------------| | Reported On | July 18, 2008 | |----------------------+-------------------------------------------------| | Reported By | Jeremy McNamara < jj AT nufone DOT net > | |----------------------+-------------------------------------------------| | Posted On | July 22, 2008 | |----------------------+-------------------------------------------------| | Last Updated On | July 22, 2008 | |----------------------+-------------------------------------------------| | Advisory Contact | Tilghman Lesher < tlesher AT digium DOT com > | |----------------------+-------------------------------------------------| | CVE Name | CVE-2008-3263 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Description | By flooding an Asterisk server with IAX2 'POKE' | | | requests, an attacker may eat up all call numbers | | | associated with the IAX2 protocol on an Asterisk server | | | and prevent other IAX2 calls from getting through. Due | | | to the nature of the protocol, IAX2 POKE calls will | | | expect an ACK packet in response to the PONG packet sent | | | in response to the POKE. While waiting for this ACK | | | packet, this dialog consumes an IAX2 call number, as the | | | ACK packet must contain the same call number as was | | | allocated and sent in the PONG. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Resolution | The implementation has been changed to no longer allocate | | | an IAX2 call number for POKE requests. Instead, call | | | number 1 has been reserved for all responses to POKE | | | requests, and ACK packets referencing call number 1 will | | | be silently dropped. | +------------------------------------------------------------------------+ +---------------------------------------------------------------------------------------------------------------------------------+ |Commentary|This vulnerability was reported to us without exploit code, less than two days before public release, with exploit | | |code. Additionally, we were not informed of the public release of the exploit code and only learned this fact from a | | |third party. We reiterate that this is irresponsible security disclosure, and we recommend that in the future, | | |adequate time be given to fix any such vulnerability. Recommended reading: | | |http://www.oisafety.org/guidelines/Guidelines%20for%20Security%20Vulnerability%20Reporting%20and%20Response%20V2.0.pdf| +---------------------------------------------------------------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Affected Versions | |------------------------------------------------------------------------| | Product | Release | | | | Series | | |----------------------------------+-------------+-----------------------| | Asterisk Open Source | 1.0.x | All versions | |----------------------------------+-------------+-----------------------| | Asterisk Open Source | 1.2.x | All versions prior to | | | | 1.2.30 | |----------------------------------+-------------+-----------------------| | Asterisk Open Source | 1.4.x | All versions prior to | | | | 1.4.21.2 | |----------------------------------+-------------+-----------------------| | Asterisk Addons | 1.2.x | Not affected | |----------------------------------+-------------+-----------------------| | Asterisk Addons | 1.4.x | Not affected | |----------------------------------+-------------+-----------------------| | Asterisk Business Edition | A.x.x | All versions | |----------------------------------+-------------+-----------------------| | Asterisk Business Edition | B.x.x.x | All versions prior to | | | | B.2.5.4 | |----------------------------------+-------------+-----------------------| | Asterisk Business Edition | C.x.x.x | All versions prior to | | | | C.1.10.3 | |----------------------------------+-------------+-----------------------| | AsteriskNOW | pre-release | All versions | |----------------------------------+-------------+-----------------------| | Asterisk Appliance Developer Kit | 0.x.x | All versions | |----------------------------------+-------------+-----------------------| | s800i (Asterisk Appliance) | 1.0.x | All versions prior to | | | | 1.2.0.1 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Corrected In | |------------------------------------------------------------------------| | Product | Release | |---------------------------------------------+--------------------------| | Asterisk Open Source | 1.2.30 | |---------------------------------------------+--------------------------| | Asterisk Open Source | 1.4.21.2 | |---------------------------------------------+--------------------------| | Asterisk Business Edition | B.2.5.4 | |---------------------------------------------+--------------------------| | Asterisk Business Edition | C.1.10.3 | |---------------------------------------------+--------------------------| | Asterisk Business Edition | C.2.0.3 | |---------------------------------------------+--------------------------| | s800i (Asterisk Appliance) | 1.2.0.1 | +------------------------------------------------------------------------+ +----------------------------------------------------------------------------------------------------------------------------+ |Links|http://www.oisafety.org/guidelines/Guidelines%20for%20Security%20Vulnerability%20Reporting%20and%20Response%20V2.0.pdf| |-----+----------------------------------------------------------------------------------------------------------------------| | |http://www.securityfocus.com/bid/30321/info | +----------------------------------------------------------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/security/AST-2008-010.pdf and | | http://downloads.digium.com/pub/security/AST-2008-010.html | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Revision History | |------------------------------------------------------------------------| | Date | Editor | Revisions Made | |-----------------+--------------------+---------------------------------| | July 22, 2008 | Tilghman Lesher | Initial release | |-----------------+--------------------+---------------------------------| | July 22, 2008 | Tilghman Lesher | Revised C.1 version numbers | +------------------------------------------------------------------------+ Asterisk Project Security Advisory - AST-2008-010 Copyright (c) 2008 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.