TUCoPS :: Asterisk :: va2065.htm

IAX2 Remote crash vulnerability in IAX2
AST-2008-012: Remote crash vulnerability in IAX2
AST-2008-012: Remote crash vulnerability in IAX2


               Asterisk Project Security Advisory - AST-2008-012

   +------------------------------------------------------------------------+
   |       Product        | Asterisk                                        |
   |----------------------+-------------------------------------------------|
   |       Summary        | Remote crash vulnerability in IAX2              |
   |----------------------+-------------------------------------------------|
   |  Nature of Advisory  | Remote Crash                                    |
   |----------------------+-------------------------------------------------|
   |    Susceptibility    | Remote Unauthenticated Sessions                 |
   |----------------------+-------------------------------------------------|
   |       Severity       | Major                                           |
   |----------------------+-------------------------------------------------|
   |    Exploits Known    | No                                              |
   |----------------------+-------------------------------------------------|
   |     Reported On      | November 22, 2008                               |
   |----------------------+-------------------------------------------------|
   |     Reported By      |Jon Leren Scho/pzinsky                           |
   |----------------------+-------------------------------------------------|
   |      Posted On       |                                                 |
   |----------------------+-------------------------------------------------|
   |   Last Updated On    | December 9, 2008                                |
   |----------------------+-------------------------------------------------|
   |   Advisory Contact   | Mark Michelson    |
   |----------------------+-------------------------------------------------|
   |       CVE Name       |                                                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | There is a possibility to remotely crash an Asterisk     |
   |             | server if the server is configured to use realtime IAX2  |
   |             | users. The issue occurs if either an unknown user        |
   |             | attempts to authenticate or if a user that uses hostname |
   |             | matching attempts to authenticate.                       |
   |             |                                                          |
   |             | The problem was due to a broken function call to         |
   |             | Asterisk's realtime configuration API.                   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |   Resolution    | The function calls in question have been fixed.      |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |             Product             | Release Series |                     |
   |---------------------------------+----------------+---------------------|
   |      Asterisk Open Source       |     1.2.x      | 1.2.26-1.2.30.3     |
   |---------------------------------+----------------+---------------------|
   |      Asterisk Open Source       |     1.4.x      | Unaffected          |
   |---------------------------------+----------------+---------------------|
   |      Asterisk Open Source       |     1.6.x      | Unaffected          |
   |---------------------------------+----------------+---------------------|
   |         Asterisk Addons         |     1.2.x      | Unaffected          |
   |---------------------------------+----------------+---------------------|
   |         Asterisk Addons         |     1.4.x      | Unaffected          |
   |---------------------------------+----------------+---------------------|
   |         Asterisk Addons         |     1.6.x      | Unaffected          |
   |---------------------------------+----------------+---------------------|
   |    Asterisk Business Edition    |     A.x.x      | Unaffected          |
   |---------------------------------+----------------+---------------------|
   |    Asterisk Business Edition    |     B.x.x      | B.2.3.5-B.2.5.5     |
   |---------------------------------+----------------+---------------------|
   |    Asterisk Business Edition    |     C.x.x      | Unaffected          |
   |---------------------------------+----------------+---------------------|
   |           AsteriskNOW           |      1.5       | Unaffected          |
   |---------------------------------+----------------+---------------------|
   |   s800i (Asterisk Appliance)    |     1.2.x      | Unaffected          |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |                  Product                   |          Release          |
   |--------------------------------------------+---------------------------|
   |            Asterisk Open Source            |         1.2.30.4          |
   |--------------------------------------------+---------------------------|
   |         Asterisk Business Edition          |          B.2.5.6          |
   |--------------------------------------------+---------------------------|
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links        |                                                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
| http://www.asterisk.org/security | 
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
| http://downloads.digium.com/pub/security/AST-2008-012.pdf and | 
| http://downloads.digium.com/pub/security/AST-2008-012.html | 
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |        Date        |     Editor      |         Revisions Made          |
   |--------------------+-----------------+---------------------------------|
   | November 23, 2008  | Mark Michelson  | Initial draft                   |
   |--------------------+-----------------+---------------------------------|
   | December 9, 2008   | Mark Michelson  | Added "Corrected In" versions   |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2008-012
              Copyright (c) 2008 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH