AST-2012-009: Skinny Channel Driver Remote Crash Vulnerability

           Asterisk Project Security Advisory - AST-2012-009

      Product         Asterisk                                            
      Summary         Skinny Channel Driver Remote Crash Vulnerability    
 Nature of Advisory   Denial of Service                                   
   Susceptibility     Remote authenticated sessions                       
      Severity        Minor                                               
   Exploits Known     No                                                  
    Reported On       May 30, 2012                                        
    Reported By       Christoph Hebeisen, TELUS Security Labs             
     Posted On        June 14, 2012                                       
  Last Updated On     June 14, 2012                                       
  Advisory Contact    Matt Jordan < mjordan AT digium DOT com >           
      CVE Name        CVE-2012-3553                                       

Description  AST-2012-008 previously dealt with a denial of service       
             attack exploitable in the Skinny channel driver that         
             occurred when certain messages are sent after a previously   
             registered station sends an Off Hook message. Unresolved in  
             that patch is an issue in the Asterisk 10 releases,          
             wherein, if a Station Key Pad Button Message is processed    
             after an Off Hook message, the channel driver will           
             inappropriately dereference a Null pointer.                  
                                                                          
             Similar to AST-2012-008, a remote attacker with a valid      
             SCCP ID can can use this vulnerability by closing a          
             connection to the Asterisk server when a station is in the   
             "Off Hook" call state and crash the server.                  

Resolution  The presence of a device for a line is now checked in the     
            appropriate channel callbacks, preventing the crash.          

                           Affected Versions
            Product              Release Series  
     Asterisk Open Source             10.x       All Versions             

                              Corrected In  
                 Product                              Release             
           Asterisk Open Source                        10.5.1             

                                Patches                        
                           SVN URL                              Revision  

http://downloads.asterisk.org/pub/security/AST-2012-009-10.diff v10

   Links     https://issues.asterisk.org/jira/browse/ASTERISK-19905       

Asterisk Project Security Advisories are posted at                        
http://www.asterisk.org/security                                          
                                                                          
This document may be superseded by later versions; if so, the latest      
version will be posted at                                                 
http://downloads.digium.com/pub/security/AST-2012-009.pdf and             
http://downloads.digium.com/pub/security/AST-2012-009.html                

                            Revision History
      Date                  Editor                 Revisions Made         
06/14/2012         Matt Jordan               Initial Release              

           Asterisk Project Security Advisory - AST-2012-009
          Copyright (c) 2012 Digium, Inc. All Rights Reserved.

Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.