Asterisk Project Security Advisory - AST-2008-002 +----------------------------------------------------------------------- -+ | Product | Asterisk | |--------------------+-------------------------------------------------- -| | Summary | Two buffer overflows in RTP Codec Payload | | | Handling | |--------------------+-------------------------------------------------- -| | Nature of Advisory | Exploitable Buffer Overflow | |--------------------+-------------------------------------------------- -| | Susceptibility | Remote Unauthenticated Sessions | |--------------------+-------------------------------------------------- -| | Severity | Critical | |--------------------+-------------------------------------------------- -| | Exploits Known | No | |--------------------+-------------------------------------------------- -| | Reported On | March 11, 2008 | |--------------------+-------------------------------------------------- -| | Reported By | Mu Security Research Team | |--------------------+-------------------------------------------------- -| | Posted On | March 18, 2008 | |--------------------+-------------------------------------------------- -| | Last Updated On | March 18, 2008 | |--------------------+-------------------------------------------------- -| | Advisory Contact | Joshua Colp <jcolp (at) digium (dot) com [email concealed]> | |--------------------+-------------------------------------------------- -| | CVE Name | CVE-2008-1289 | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Description | Two buffer overflows exist in the RTP payload handling | | | code of Asterisk. Both overflows can be caused by an | | | INVITE or any other SIP packet with SDP. The request may | | | need to be authenticated depending on configuration of | | | the Asterisk installation. | | | | | | The first overflow is caused by sending a payload number | | | that surpasses the programmed maximum payload number of | | | 256. This causes an invalid memory write outside of the | | | buffer. While this does not allow the attacker to write | | | arbitrary data it does allow the attacker to write a 0 | | | to other memory locations. | | | | | | The second overflow is caused by sending more than 32 | | | RTP payloads. This causes a buffer on the stack to | | | overflow allowing the attacker to write values between 0 | | | and 256 (the maximum payload number) to memory locations | | | after the buffer. | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Resolution | Two fixes have been added to check the provided data to | | | ensure it does not exceed static buffer sizes. | | | | | | When removing internal information regarding an RTP | | | payload the given payload number will now be checked to | | | make sure it does not exceed the maximum acceptable | | | payload number. | | | | | | When reading RTP payloads from SDP a maximum limit of 32 | | | in total will be enforced. Any further RTP payloads will | | | be discarded. | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Affected Versions | |----------------------------------------------------------------------- -| | Product | Release | | | | Series | | |----------------------------+---------+-------------------------------- -| | Asterisk Open Source | 1.0.x | Unaffected | |----------------------------+---------+-------------------------------- -| | Asterisk Open Source | 1.2.x | Unaffected | |----------------------------+---------+-------------------------------- -| | Asterisk Open Source | 1.4.x | All versions prior to 1.4.18.1 | | | | and 1.4.19-rc3 | |----------------------------+---------+-------------------------------- -| | Asterisk Open Source | 1.6.x | All versions prior to | | | | 1.6.0-beta6 | |----------------------------+---------+-------------------------------- -| | Asterisk Business Edition | A.x.x | Unaffected | |----------------------------+---------+-------------------------------- -| | Asterisk Business Edition | B.x.x | Unaffected | |----------------------------+---------+-------------------------------- -| | Asterisk Business Edition | C.x.x | All versions prior to C.1.6.1 | |----------------------------+---------+-------------------------------- -| | AsteriskNOW | 1.0.x | All versions prior to 1.0.2 | |----------------------------+---------+-------------------------------- -| | Asterisk Appliance | SVN | All versions prior to Asterisk | | Developer Kit | | 1.4 revision 109386 | |----------------------------+---------+-------------------------------- -| | s800i (Asterisk Appliance) | 1.1.x | All versions prior to 1.1.0.2 | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Corrected In | |----------------------------------------------------------------------- -| | Product | Release | |---------------+------------------------------------------------------- -| | Asterisk Open | 1.4.18.1/1.4.19-rc3/1.6.0-beta6, available from | | Source | http://downloads.digium.com/pub/telephony/asterisk | |---------------+------------------------------------------------------- -| | Asterisk | C.1.6.1 | | Business | | | Edition | | |---------------+------------------------------------------------------- -| | AsteriskNOW | 1.0.2, available from http://www.asterisknow.org/ | | | | | | Current users can update using the system update | | | feature in the appliance control panel. | |---------------+------------------------------------------------------- -| | Asterisk | Asterisk 1.4 revision 109386. Available by performing | | Appliance | an svn update of the AADK tree. | | Developer Kit | | |---------------+------------------------------------------------------- -| | s800i | 1.1.0.2 | | (Asterisk | | | Appliance) | | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Links | | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/security/AST-2008-002.pdf and | | http://downloads.digium.com/pub/security/AST-2008-002.html | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Revision History | |----------------------------------------------------------------------- -| | Date | Editor | Revisions Made | |------------------+--------------------+------------------------------- -| | 2008-03-18 | Joshua Colp | Initial Release | +----------------------------------------------------------------------- -+ Asterisk Project Security Advisory - AST-2008-002 Copyright (c) 2008 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.