Asterisk Project Security Advisory - AST-2009-004
±-----------------------------------------------------------------------+
| Product | Asterisk |
|----------------------±------------------------------------------------|
| Summary | Remote Crash Vulnerability in RTP stack |
|----------------------±------------------------------------------------|
| Nature of Advisory | Exploitable Crash |
|----------------------±------------------------------------------------|
| Susceptibility | Remote unauthenticated sessions |
|----------------------±------------------------------------------------|
| Severity | Critical |
|----------------------±------------------------------------------------|
| Exploits Known | No |
|----------------------±------------------------------------------------|
| Reported On | July 27, 2009 |
|----------------------±------------------------------------------------|
| Reported By | Marcus Hunger <hunger AT sipgate DOT de> |
|----------------------±------------------------------------------------|
| Posted On | August 2, 2009 |
|----------------------±------------------------------------------------|
| Last Updated On | August 2, 2009 |
|----------------------±------------------------------------------------|
| Advisory Contact | Mark Michelson <mmichelson AT digium DOT com> |
|----------------------±------------------------------------------------|
| CVE Name | |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
| Description | An attacker can cause Asterisk to crash remotely by |
| | sending malformed RTP text frames. While the attacker |
| | can cause Asterisk to crash, he cannot execute arbitrary |
| | remote code with this exploit. |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
| Resolution | Users should upgrade to a version listed in the |
| | "Corrected In" section below. |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
Affected Versions |
---|
Product |
-------------------------------±---------------±---------------------- |
Asterisk Open Source |
-------------------------------±---------------±---------------------- |
Asterisk Open Source |
-------------------------------±---------------±---------------------- |
Asterisk Open Source |
-------------------------------±---------------±---------------------- |
Asterisk Addons |
-------------------------------±---------------±---------------------- |
Asterisk Addons |
-------------------------------±---------------±---------------------- |
Asterisk Addons |
-------------------------------±---------------±---------------------- |
Asterisk Business Edition |
-------------------------------±---------------±---------------------- |
Asterisk Business Edition |
-------------------------------±---------------±---------------------- |
Asterisk Business Edition |
-------------------------------±---------------±---------------------- |
AsteriskNOW |
-------------------------------±---------------±---------------------- |
s800i (Asterisk Appliance) |
±-----------------------------------------------------------------------+ |
±-----------------------------------------------------------------------+
Corrected In |
---|
Product |
---------------------------------------------±------------------------- |
Open Source Asterisk 1.6.1 |
---------------------------------------------±------------------------- |
---------------------------------------------±------------------------- |
±-----------------------------------------------------------------------+ |
±---------------------------------------------------------------------------+
Patches |
---|
SVN URL |
--------------------------------------------------------------------±------ |
http://downloads.digium.com/pub/security/AST-2009-004-1.6.1.diff.txt |
--------------------------------------------------------------------±------ |
±---------------------------------------------------------------------------+ |
±-----------------------------------------------------------------------+
| Links | |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2009-004.pdf and |
| http://downloads.digium.com/pub/security/AST-2009-004.html |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
Revision History |
---|
Date |
----------------±----------------±------------------------------------ |
27 Jul, 2009 |
----------------±----------------±------------------------------------ |
31 Jul, 2009 |
----------------±----------------±------------------------------------ |
August 2, 2009 |
±-----------------------------------------------------------------------+ |
Asterisk Project Security Advisory - AST-2009-004
Copyright (c) 2009 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.