Asterisk Security Team
2011-Jan-18 16:35 UTC
[asterisk-users] AST-2011-001: Stack buffer overflow in SIP channel driver
Asterisk Project Security Advisory - AST-2011-001
Product Asterisk
Summary Stack buffer overflow in SIP channel driver
Nature of Advisory Exploitable Stack Buffer Overflow
Susceptibility Remote Authenticated Sessions
Severity Moderate
Exploits Known No
Reported On January 11, 2011
Reported By Matthew Nicholson
Posted On January 18, 2011
Last Updated On January 18, 2011
Advisory Contact Matthew Nicholson <mnicholson at digium.com>
CVE Name
Description When forming an outgoing SIP request while in pedantic mode, a
stack buffer can be made to overflow if supplied with
carefully crafted caller ID information. This vulnerability
also affects the URIENCODE dialplan function and in some
versions of asterisk, the AGI dialplan application as well.
The ast_uri_encode function does not properly respect the size
of its output buffer and can write past the end of it when
encoding URIs.
Resolution The size of the output buffer passed to the ast_uri_encode
function is now properly respected.
In asterisk versions not containing the fix for this issue,
limiting strings originating from remote sources that will be
URI encoded to a length of 40 characters will protect against
this vulnerability.
exten => s,1,Set(CALLERID(num)=${CALLERID(num):0:40})
exten => s,n,Set(CALLERID(name)=${CALLERID(name):0:40})
exten => s,n,Dial(SIP/channel)
The CALLERID(num) and CALLERID(name) channel values, and any
strings passed to the URIENCODE dialplan function should be
limited in this manner.
Affected Versions
Product Release Series
Asterisk Open Source 1.2.x All versions
Asterisk Open Source 1.4.x All versions
Asterisk Open Source 1.6.x All versions
Asterisk Open Source 1.8.x All versions
Asterisk Business Edition C.x.x All versions
AsteriskNOW 1.5 All versions
s800i (Asterisk Appliance) 1.2.x All versions
Corrected In
Product Release
Asterisk Open Source 1.4.38.1, 1.4.39.1, 1.6.1.21, 1.6.2.15.1,
1.6.2.16.1, 1.8.1.2, 1.8.2.1
Asterisk Business Edition C.3.6.2
Patches
URL Branch
http://downloads.asterisk.org/pub/security/AST-2011-001-1.4.diff 1.4
http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.1.diff 1.6.1
http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.2.diff 1.6.2
http://downloads.asterisk.org/pub/security/AST-2011-001-1.8.diff 1.8
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2011-001.pdf and
http://downloads.digium.com/pub/security/AST-2011-001.html
Revision History
Date Editor Revisions Made
2011-01-18 Matthew Nicholson Initial Release
Asterisk Project Security Advisory - AST-2011-001
Copyright (c) 2011 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
Jeff LaCoursiere
2011-Jan-18 16:53 UTC
[asterisk-users] AST-2011-001: Stack buffer overflow in SIP channel driver
On Tue, 18 Jan 2011, Asterisk Security Team wrote:> Asterisk Project Security Advisory - AST-2011-001 > > Product Asterisk > Summary Stack buffer overflow in SIP channel driver > Nature of Advisory Exploitable Stack Buffer Overflow > Susceptibility Remote Authenticated Sessions > Severity Moderate > Exploits Known No > Reported On January 11, 2011 > Reported By Matthew Nicholson > Posted On January 18, 2011 > Last Updated On January 18, 2011 > Advisory Contact Matthew Nicholson <mnicholson at digium.com> > CVE Name > > Description When forming an outgoing SIP request while in pedantic mode, a > stack buffer can be made to overflow if supplied with > carefully crafted caller ID information. This vulnerability > also affects the URIENCODE dialplan function and in some > versions of asterisk, the AGI dialplan application as well. > The ast_uri_encode function does not properly respect the size > of its output buffer and can write past the end of it when > encoding URIs. >Am I correct in assuming this is only exploitable by registered endpoints? Thanks, j
Kevin P. Fleming
2011-Jan-18 17:06 UTC
[asterisk-users] AST-2011-001: Stack buffer overflow in SIP channel driver
On 01/18/2011 10:53 AM, Jeff LaCoursiere wrote:> > > > On Tue, 18 Jan 2011, Asterisk Security Team wrote: > >> Asterisk Project Security Advisory - AST-2011-001 >> >> Product Asterisk >> Summary Stack buffer overflow in SIP channel driver >> Nature of Advisory Exploitable Stack Buffer Overflow >> Susceptibility Remote Authenticated Sessions >> Severity Moderate >> Exploits Known No >> Reported On January 11, 2011 >> Reported By Matthew Nicholson >> Posted On January 18, 2011 >> Last Updated On January 18, 2011 >> Advisory Contact Matthew Nicholson <mnicholson at digium.com> >> CVE Name >> >> Description When forming an outgoing SIP request while in pedantic >> mode, a >> stack buffer can be made to overflow if supplied with >> carefully crafted caller ID information. This vulnerability >> also affects the URIENCODE dialplan function and in some >> versions of asterisk, the AGI dialplan application as well. >> The ast_uri_encode function does not properly respect the size >> of its output buffer and can write past the end of it when >> encoding URIs. >> > > Am I correct in assuming this is only exploitable by registered endpoints?As the advisory says, anyone who can place an authenticated call (if authentication is required) can exploit it. Whether an endpoint is registered or not has nothing to do with whether it can place calls; registration is for delivery of calls to the endpoint. -- Kevin P. Fleming Digium, Inc. | Director of Software Technologies 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA skype: kpfleming | jabber: kfleming at digium.com Check us out at www.digium.com & www.asterisk.org
Marc Leurent
2011-Jan-19 08:14 UTC
[asterisk-users] AST-2011-001: Stack buffer overflow in SIP channel driver
Good morning, I have a simple question, Is this problem would affect also an Asterisk 1.4.38 if "Pedantic SIP support: No" in the Global Signalling Settings For what I understood, no.. Or is it a simple way to postpone upgrade until next planned upgrade. Best Regards Le mardi 18 janvier 2011 17:35:31, Asterisk Security Team a ?crit :> Asterisk Project Security Advisory - AST-2011-001 > > Product Asterisk > Summary Stack buffer overflow in SIP channel driver > Nature of Advisory Exploitable Stack Buffer Overflow > Susceptibility Remote Authenticated Sessions > Severity Moderate > Exploits Known No > Reported On January 11, 2011 > Reported By Matthew Nicholson > Posted On January 18, 2011 > Last Updated On January 18, 2011 > Advisory Contact Matthew Nicholson <mnicholson at digium.com> > CVE Name > > Description When forming an outgoing SIP request while in pedantic mode, a > stack buffer can be made to overflow if supplied with > carefully crafted caller ID information. This vulnerability > also affects the URIENCODE dialplan function and in some > versions of asterisk, the AGI dialplan application as well. > The ast_uri_encode function does not properly respect the size > of its output buffer and can write past the end of it when > encoding URIs. > > Resolution The size of the output buffer passed to the ast_uri_encode > function is now properly respected. > > In asterisk versions not containing the fix for this issue, > limiting strings originating from remote sources that will be > URI encoded to a length of 40 characters will protect against > this vulnerability. > > exten => s,1,Set(CALLERID(num)=${CALLERID(num):0:40}) > exten => s,n,Set(CALLERID(name)=${CALLERID(name):0:40}) > exten => s,n,Dial(SIP/channel) > > The CALLERID(num) and CALLERID(name) channel values, and any > strings passed to the URIENCODE dialplan function should be > limited in this manner. > > Affected Versions > Product Release Series > Asterisk Open Source 1.2.x All versions > Asterisk Open Source 1.4.x All versions > Asterisk Open Source 1.6.x All versions > Asterisk Open Source 1.8.x All versions > Asterisk Business Edition C.x.x All versions > AsteriskNOW 1.5 All versions > s800i (Asterisk Appliance) 1.2.x All versions > > Corrected In > Product Release > Asterisk Open Source 1.4.38.1, 1.4.39.1, 1.6.1.21, 1.6.2.15.1, > 1.6.2.16.1, 1.8.1.2, 1.8.2.1 > Asterisk Business Edition C.3.6.2 > > Patches > URL Branch > http://downloads.asterisk.org/pub/security/AST-2011-001-1.4.diff 1.4 > http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.1.diff 1.6.1 > http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.2.diff 1.6.2 > http://downloads.asterisk.org/pub/security/AST-2011-001-1.8.diff 1.8 > > Asterisk Project Security Advisories are posted at > http://www.asterisk.org/security > > This document may be superseded by later versions; if so, the latest > version will be posted at > http://downloads.digium.com/pub/security/AST-2011-001.pdf and > http://downloads.digium.com/pub/security/AST-2011-001.html > > Revision History > Date Editor Revisions Made > 2011-01-18 Matthew Nicholson Initial Release > > Asterisk Project Security Advisory - AST-2011-001 > Copyright (c) 2011 Digium, Inc. All Rights Reserved. > Permission is hereby granted to distribute and publish this advisory in its > original, unaltered form. > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >