Asterisk Security Team
2009-Aug-03 04:30 UTC
[asterisk-users] AST-2009-004: Remote Crash Vulnerability in RTP stack
Asterisk Project Security Advisory - AST-2009-004
+------------------------------------------------------------------------+
| Product | Asterisk |
|----------------------+-------------------------------------------------|
| Summary | Remote Crash Vulnerability in RTP stack |
|----------------------+-------------------------------------------------|
| Nature of Advisory | Exploitable Crash |
|----------------------+-------------------------------------------------|
| Susceptibility | Remote unauthenticated sessions |
|----------------------+-------------------------------------------------|
| Severity | Critical |
|----------------------+-------------------------------------------------|
| Exploits Known | No |
|----------------------+-------------------------------------------------|
| Reported On | July 27, 2009 |
|----------------------+-------------------------------------------------|
| Reported By | Marcus Hunger <hunger AT sipgate DOT de>
|
|----------------------+-------------------------------------------------|
| Posted On | August 2, 2009 |
|----------------------+-------------------------------------------------|
| Last Updated On | August 2, 2009 |
|----------------------+-------------------------------------------------|
| Advisory Contact | Mark Michelson <mmichelson AT digium DOT com>
|
|----------------------+-------------------------------------------------|
| CVE Name | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | An attacker can cause Asterisk to crash remotely by |
| | sending malformed RTP text frames. While the attacker |
| | can cause Asterisk to crash, he cannot execute arbitrary |
| | remote code with this exploit. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | Users should upgrade to a version listed in the |
| | "Corrected In" section below.
|
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.2.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.4.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.6.x | All 1.6.1 versions |
|-------------------------------+----------------+-----------------------|
| Asterisk Addons | 1.2.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Addons | 1.4.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Addons | 1.6.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Business Edition | A.x.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Business Edition | B.x.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| Asterisk Business Edition | C.x.x | Unaffected |
|-------------------------------+----------------+-----------------------|
| AsteriskNOW | 1.5 | Unaffected |
|-------------------------------+----------------+-----------------------|
| s800i (Asterisk Appliance) | 1.2.x | Unaffected |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|---------------------------------------------+--------------------------|
| Open Source Asterisk 1.6.1 | 1.6.1.2 |
|---------------------------------------------+--------------------------|
|---------------------------------------------+--------------------------|
+------------------------------------------------------------------------+
+----------------------------------------------------------------------------+
| Patches |
|----------------------------------------------------------------------------|
| SVN URL |Version|
|--------------------------------------------------------------------+-------|
|http://downloads.digium.com/pub/security/AST-2009-004-1.6.1.diff.txt| 1.6.1 |
|--------------------------------------------------------------------+-------|
+----------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Links | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2009-004.pdf and |
| http://downloads.digium.com/pub/security/AST-2009-004.html |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|----------------+-----------------+-------------------------------------|
| 27 Jul, 2009 | Mark Michelson | Initial Draft |
|----------------+-----------------+-------------------------------------|
| 31 Jul, 2009 | Mark Michelson | Added sentence about how remote |
| | | code cannot be executed. |
|----------------+-----------------+-------------------------------------|
| August 2, 2009 | Tilghman Lesher | Public release |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - AST-2009-004
Copyright (c) 2009 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.