bugtraq June 2008 archive
Main Archive Page > Month Archives  > bugtraq archives
bugtraq: AST-2008-008: Remote Crash Vulnerability in SIP channel

AST-2008-008: Remote Crash Vulnerability in SIP channel driver when run in pedantic mode

From: Asterisk Security Team <security_at_nospam>
Date: Tue Jun 03 2008 - 19:53:24 GMT
To: bugtraq@securityfocus.com

               Asterisk Project Security Advisory - AST-2008-008

+------------------------------------------------------------------------+
| Product | Asterisk | |--------------------+---------------------------------------------------| | Summary | Remote Crash Vulnerability in SIP channel driver | | | when run in pedantic mode | |--------------------+---------------------------------------------------| | Nature of Advisory | Denial of Service | |--------------------+---------------------------------------------------| | Susceptibility | Remote Unauthenticated Sessions | |--------------------+---------------------------------------------------| | Severity | Critical | |--------------------+---------------------------------------------------| | Exploits Known | No | |--------------------+---------------------------------------------------| | Reported On | May 8, 2008 | |--------------------+---------------------------------------------------| | Reported By | Hooi Ng (bugs.digium.com user hooi) | |--------------------+---------------------------------------------------| | Posted On | May 8, 2008 | |--------------------+---------------------------------------------------| | Last Updated On | June 3, 2008 | |--------------------+---------------------------------------------------| | Advisory Contact | Joshua Colp <jcolp@digium.com> | |--------------------+---------------------------------------------------| | CVE Name | CVE-2008-2119 |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Description | During pedantic SIP processing the From header value is | | | passed to the ast_uri_decode function to be decoded. In | | | two instances it is possible for the code to cause a | | | crash as the From header value is not checked to be | | | non-NULL before being passed to the function. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Resolution | The From header value is now copied into a buffer before | | | being passed to the ast_uri_decode function if pedantic | | | is enabled and in another instance it is checked to be | | | non-NULL before being passed. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Affected Versions | |------------------------------------------------------------------------| | Product | Release | | | | Series | | |-------------------------------+------------+---------------------------| | Asterisk Open Source | 1.0.x | All versions | |-------------------------------+------------+---------------------------| | Asterisk Open Source | 1.2.x | All versions prior to | | | | 1.2.29 | |-------------------------------+------------+---------------------------| | Asterisk Open Source | 1.4.x | Not Affected | |-------------------------------+------------+---------------------------| | Asterisk Business Edition | A.x.x | All versions | |-------------------------------+------------+---------------------------| | Asterisk Business Edition | B.x.x | All versions prior to | | | | B.2.5.3 | |-------------------------------+------------+---------------------------| | Asterisk Business Edition | C.x.x | Not Affected | |-------------------------------+------------+---------------------------| | AsteriskNOW | 1.0.x | Not Affected | |-------------------------------+------------+---------------------------| | Asterisk Appliance Developer | 0.x.x | Not Affected | | Kit | | | |-------------------------------+------------+---------------------------| | s800i (Asterisk Appliance) | 1.0.x | Not Affected |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Corrected In | |------------------------------------------------------------------------| | Product | Release | |---------------+--------------------------------------------------------| | Asterisk Open | 1.2.29, available from | | Source | http://downloads.digium.com/pub/telephony/asterisk | |---------------+--------------------------------------------------------| | Asterisk | B.2.5.3 | | Business | | | Edition | |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Links | http://bugs.digium.com/view.php?id=12607 |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/security/AST-2008-008.pdf and | | http://downloads.digium.com/pub/security/AST-2008-008.html |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Revision History | |------------------------------------------------------------------------| | Date | Editor | Revisions Made | |------------------+--------------------+--------------------------------| | 2008-06-03 | Joshua Colp | Initial Release |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - AST-2008-008 Copyright (c) 2008 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.