Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:26230
HistoryApr 27, 2011 - 12:00 a.m.

AST-2011-005: File Descriptor Resource Exhaustion

2011-04-2700:00:00
vulners.com
11
           Asterisk Project Security Advisory - AST-2011-005

    Product       Asterisk                                                
    Summary       File Descriptor Resource Exhaustion                     

Nature of Advisory Denial of Service
Susceptibility Remote Unauthenticated TCP Based Sessions (TCP SIP,
Skinny, Asterisk Manager Interface, and HTTP sessions)
Severity Moderate
Exploits Known Yes
Reported On March 18, 2011
Reported By Tzafrir Cohen < tzafrir.cohen AT xorcom DOT com >
Posted On April 21, 2011
Last Updated On April 21, 2011
Advisory Contact Matthew Nicholson <[email protected]>
CVE Name CVE-2011-1507

Description On systems that have the Asterisk Manager Interface, Skinny,
SIP over TCP, or the built in HTTP server enabled, it is
possible for an attacker to open as many connections to
asterisk as he wishes. This will cause Asterisk to run out of
available file descriptors and stop processing any new calls.
Additionally, disk space can be exhausted as Asterisk logs
failures to open new file descriptors.

Resolution Asterisk can now limit the number of unauthenticated
connections to each vulnerable interface and can also limit the
time unauthenticated clients will remain connected for some
interfaces. This will prevent vulnerable interfaces from using
up all available file descriptors. Care should be taken when
setting the connection limits so that the combined total of
allowed unauthenticated sessions from each service is not more
than the file descriptor limit for the Asterisk process. The
file descriptor limit can be checked (and set) using the
"ulimit -n" command for the process' limit and the
"/proc/sys/fs/file-max" file (on Linux) for the system's limit.

          It will still be possible for an attacker to deny service to    
          each of the vulnerable services individually. To mitigate this  
          risk, vulnerable services should be run behind a firewall that  
          can detect and prevent DoS attacks.                             
                                                                          
          In addition to using a firewall to filter traffic, vulnerable   
          systems can be protected by disabling the vulnerable services   
          in their respective configuration files.                        

                           Affected Versions
            Product              Release Series 
     Asterisk Open Source            1.4.x      All versions              
     Asterisk Open Source           1.6.1.x     All versions              
     Asterisk Open Source           1.6.2.x     All versions              
     Asterisk Open Source            1.8.x      All versions              
   Asterisk Business Edition         C.x.x      All versions              

                              Corrected In
          Product                               Release                   
    Asterisk Open Source        1.4.40.1, 1.6.1.25, 1.6.2.17.3, 1.8.3.3   
 Asterisk Business Edition                      C.3.6.4                   

                                Patches                            
                               URL                                 Branch 

http://downloads.asterisk.org/pub/security/AST-2011-005-1.4.diff 1.4
http://downloads.asterisk.org/pub/security/AST-2011-005-1.6.1.diff 1.6.1
http://downloads.asterisk.org/pub/security/AST-2011-005-1.6.2.diff 1.6.2
http://downloads.asterisk.org/pub/security/AST-2011-005-1.8.diff 1.8

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2011-005.pdf and
http://downloads.digium.com/pub/security/AST-2011-005.html

                            Revision History
      Date                 Editor                  Revisions Made         

04/21/11 Matthew Nicholson Initial version

           Asterisk Project Security Advisory - AST-2011-005
          Copyright &#40;c&#41; 2011 Digium, Inc. All Rights Reserved.

Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

Related for SECURITYVULNS:DOC:26230