TUCoPS :: Asterisk :: bu-405.htm

Remote Crash Vulnerability in RTP stack
AST-2009-004: Remote Crash Vulnerability in RTP stack
AST-2009-004: Remote Crash Vulnerability in RTP stack



               Asterisk Project Security Advisory - AST-2009-004

   +------------------------------------------------------------------------+
   |       Product        | Asterisk                                        |
   |----------------------+-------------------------------------------------|
   |       Summary        | Remote Crash Vulnerability in RTP stack         |
   |----------------------+-------------------------------------------------|
   |  Nature of Advisory  | Exploitable Crash                               |
   |----------------------+-------------------------------------------------|
   |    Susceptibility    | Remote unauthenticated sessions                 |
   |----------------------+-------------------------------------------------|
   |       Severity       | Critical                                        |
   |----------------------+-------------------------------------------------|
   |    Exploits Known    | No                                              |
   |----------------------+-------------------------------------------------|
   |     Reported On      | July 27, 2009                                   |
   |----------------------+-------------------------------------------------|
   |     Reported By      | Marcus Hunger         |
   |----------------------+-------------------------------------------------|
   |      Posted On       | August 2, 2009                                  |
   |----------------------+-------------------------------------------------|
   |   Last Updated On    | August 2, 2009                                  |
   |----------------------+-------------------------------------------------|
   |   Advisory Contact   | Mark Michelson    |
   |----------------------+-------------------------------------------------|
   |       CVE Name       |                                                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | An attacker can cause Asterisk to crash remotely by      |
   |             | sending malformed RTP text frames. While the attacker    |
   |             | can cause Asterisk to crash, he cannot execute arbitrary |
   |             | remote code with this exploit.                           |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | Users should upgrade to a version listed in the           |
   |            | "Corrected In" section below.                             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |            Product            | Release Series |                       |
   |-------------------------------+----------------+-----------------------|
   |     Asterisk Open Source      |     1.2.x      | Unaffected            |
   |-------------------------------+----------------+-----------------------|
   |     Asterisk Open Source      |     1.4.x      | Unaffected            |
   |-------------------------------+----------------+-----------------------|
   |     Asterisk Open Source      |     1.6.x      | All 1.6.1 versions    |
   |-------------------------------+----------------+-----------------------|
   |        Asterisk Addons        |     1.2.x      | Unaffected            |
   |-------------------------------+----------------+-----------------------|
   |        Asterisk Addons        |     1.4.x      | Unaffected            |
   |-------------------------------+----------------+-----------------------|
   |        Asterisk Addons        |     1.6.x      | Unaffected            |
   |-------------------------------+----------------+-----------------------|
   |   Asterisk Business Edition   |     A.x.x      | Unaffected            |
   |-------------------------------+----------------+-----------------------|
   |   Asterisk Business Edition   |     B.x.x      | Unaffected            |
   |-------------------------------+----------------+-----------------------|
   |   Asterisk Business Edition   |     C.x.x      | Unaffected            |
   |-------------------------------+----------------+-----------------------|
   |          AsteriskNOW          |      1.5       | Unaffected            |
   |-------------------------------+----------------+-----------------------|
   |  s800i (Asterisk Appliance)   |     1.2.x      | Unaffected            |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |                   Product                   |         Release          |
   |---------------------------------------------+--------------------------|
   |         Open Source Asterisk 1.6.1          |         1.6.1.2          |
   |---------------------------------------------+--------------------------|
   |---------------------------------------------+--------------------------|
   +------------------------------------------------------------------------+

  +----------------------------------------------------------------------------+
  |                                  Patches                                   |
  |----------------------------------------------------------------------------|
  |                              SVN URL                               |Version|
  |--------------------------------------------------------------------+-------|
|http://downloads.digium.com/pub/security/AST-2009-004-1.6.1.diff.txt| 1.6.1 | 
  |--------------------------------------------------------------------+-------|
  +----------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links        |                                                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
| http://www.asterisk.org/security | 
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
| http://downloads.digium.com/pub/security/AST-2009-004.pdf and | 
| http://downloads.digium.com/pub/security/AST-2009-004.html | 
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |      Date      |     Editor      |           Revisions Made            |
   |----------------+-----------------+-------------------------------------|
   | 27 Jul, 2009   | Mark Michelson  | Initial Draft                       |
   |----------------+-----------------+-------------------------------------|
   | 31 Jul, 2009   | Mark Michelson  | Added sentence about how remote     |
   |                |                 | code cannot be executed.            |
   |----------------+-----------------+-------------------------------------|
   | August 2, 2009 | Tilghman Lesher | Public release                      |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2009-004
              Copyright (c) 2009 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH