Asterisk Project Security Advisory - AST-2008-012
±-----------------------------------------------------------------------+
| Product | Asterisk |
|----------------------±------------------------------------------------|
| Summary | Remote crash vulnerability in IAX2 |
|----------------------±------------------------------------------------|
| Nature of Advisory | Remote Crash |
|----------------------±------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|----------------------±------------------------------------------------|
| Severity | Major |
|----------------------±------------------------------------------------|
| Exploits Known | No |
|----------------------±------------------------------------------------|
| Reported On | November 22, 2008 |
|----------------------±------------------------------------------------|
| Reported By |Jon Leren Scho/pzinsky |
|----------------------±------------------------------------------------|
| Posted On | |
|----------------------±------------------------------------------------|
| Last Updated On | December 9, 2008 |
|----------------------±------------------------------------------------|
| Advisory Contact | Mark Michelson <mmichelson AT digium DOT com> |
|----------------------±------------------------------------------------|
| CVE Name | |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
| Description | There is a possibility to remotely crash an Asterisk |
| | server if the server is configured to use realtime IAX2 |
| | users. The issue occurs if either an unknown user |
| | attempts to authenticate or if a user that uses hostname |
| | matching attempts to authenticate. |
| | |
| | The problem was due to a broken function call to |
| | Asterisk's realtime configuration API. |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
| Resolution | The function calls in question have been fixed. |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
Affected Versions |
---|
Product |
---------------------------------±---------------±-------------------- |
Asterisk Open Source |
---------------------------------±---------------±-------------------- |
Asterisk Open Source |
---------------------------------±---------------±-------------------- |
Asterisk Open Source |
---------------------------------±---------------±-------------------- |
Asterisk Addons |
---------------------------------±---------------±-------------------- |
Asterisk Addons |
---------------------------------±---------------±-------------------- |
Asterisk Addons |
---------------------------------±---------------±-------------------- |
Asterisk Business Edition |
---------------------------------±---------------±-------------------- |
Asterisk Business Edition |
---------------------------------±---------------±-------------------- |
Asterisk Business Edition |
---------------------------------±---------------±-------------------- |
AsteriskNOW |
---------------------------------±---------------±-------------------- |
s800i (Asterisk Appliance) |
±-----------------------------------------------------------------------+ |
±-----------------------------------------------------------------------+
Corrected In |
---|
Product |
--------------------------------------------±-------------------------- |
Asterisk Open Source |
--------------------------------------------±-------------------------- |
Asterisk Business Edition |
--------------------------------------------±-------------------------- |
±-----------------------------------------------------------------------+ |
±-----------------------------------------------------------------------+
| Links | |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2008-012.pdf and |
| http://downloads.digium.com/pub/security/AST-2008-012.html |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
Revision History |
---|
Date |
--------------------±----------------±-------------------------------- |
November 23, 2008 |
--------------------±----------------±-------------------------------- |
December 9, 2008 |
±-----------------------------------------------------------------------+ |
Asterisk Project Security Advisory - AST-2008-012
Copyright (c) 2008 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.