Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21018
HistoryDec 14, 2008 - 12:00 a.m.

AST-2008-012: Remote crash vulnerability in IAX2

2008-12-1400:00:00
vulners.com
11
           Asterisk Project Security Advisory - AST-2008-012

±-----------------------------------------------------------------------+
| Product | Asterisk |
|----------------------±------------------------------------------------|
| Summary | Remote crash vulnerability in IAX2 |
|----------------------±------------------------------------------------|
| Nature of Advisory | Remote Crash |
|----------------------±------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|----------------------±------------------------------------------------|
| Severity | Major |
|----------------------±------------------------------------------------|
| Exploits Known | No |
|----------------------±------------------------------------------------|
| Reported On | November 22, 2008 |
|----------------------±------------------------------------------------|
| Reported By |Jon Leren Scho/pzinsky |
|----------------------±------------------------------------------------|
| Posted On | |
|----------------------±------------------------------------------------|
| Last Updated On | December 9, 2008 |
|----------------------±------------------------------------------------|
| Advisory Contact | Mark Michelson <mmichelson AT digium DOT com> |
|----------------------±------------------------------------------------|
| CVE Name | |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Description | There is a possibility to remotely crash an Asterisk |
| | server if the server is configured to use realtime IAX2 |
| | users. The issue occurs if either an unknown user |
| | attempts to authenticate or if a user that uses hostname |
| | matching attempts to authenticate. |
| | |
| | The problem was due to a broken function call to |
| | Asterisk's realtime configuration API. |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Resolution | The function calls in question have been fixed. |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+

Affected Versions
Product
---------------------------------±---------------±--------------------
Asterisk Open Source
---------------------------------±---------------±--------------------
Asterisk Open Source
---------------------------------±---------------±--------------------
Asterisk Open Source
---------------------------------±---------------±--------------------
Asterisk Addons
---------------------------------±---------------±--------------------
Asterisk Addons
---------------------------------±---------------±--------------------
Asterisk Addons
---------------------------------±---------------±--------------------
Asterisk Business Edition
---------------------------------±---------------±--------------------
Asterisk Business Edition
---------------------------------±---------------±--------------------
Asterisk Business Edition
---------------------------------±---------------±--------------------
AsteriskNOW
---------------------------------±---------------±--------------------
s800i (Asterisk Appliance)
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+

Corrected In
Product
--------------------------------------------±--------------------------
Asterisk Open Source
--------------------------------------------±--------------------------
Asterisk Business Edition
--------------------------------------------±--------------------------
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Links | |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2008-012.pdf and |
| http://downloads.digium.com/pub/security/AST-2008-012.html |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+

Revision History
Date
--------------------±----------------±--------------------------------
November 23, 2008
--------------------±----------------±--------------------------------
December 9, 2008
±-----------------------------------------------------------------------+
           Asterisk Project Security Advisory - AST-2008-012
          Copyright &#40;c&#41; 2008 Digium, Inc. All Rights Reserved.

Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.