thr3ads.net - Secure testing team - [Secure-testing-team] Bug#656596: asterisk: SRTP Video Remote Crash Vulnerability [Jan 2012]

If this information is useful, please help other people find it:
Share via:

Tzafrir Cohen

2012-Jan-20 11:25 UTC

[Secure-testing-team] Bug#656596: asterisk: SRTP Video Remote Crash Vulnerability

Package: asterisk
Version: 1:1.8.8.0~dfsg-1
Severity: grave
Tags: security patch upstream
Justification: causes non-serious data loss

http://downloads.asterisk.org/pub/security/AST-2012-001.html
(No CVE set yet, AFAIK)

An attacker attempting to negotiate a secure video stream can crash
Asterisk if video support has not been enabled and the res_srtp Asterisk
module is loaded.

I am not aware of any exploits to the issue. It requires the remote user
to be permitted to connect to the system but certain systems may also
allow guests.

No effect on the version in Squeeze, as Asterisk did not have SRTP
support before 1.8 and Squeeze uses 1.6.2 .

-- 
Tzafrir Cohen         | tzafrir at jabber.org | VIM is
http://tzafrir.org.il |                    | a Mutt''s
tzafrir at cohens.org.il |                    |  best
tzafrir at debian.org    |                    | friend

Secure testing team - Jan 2012 - Bug#656596: asterisk: SRTP Video Remote Crash Vulnerability

[Secure-testing-team] Bug#656596: asterisk: SRTP Video Remote Crash Vulnerability