Asterisk Project Security Advisory - AST-2008-012 +----------------------------------------------------------------------- -+ | Product | Asterisk | |----------------------+------------------------------------------------ -| | Summary | Remote crash vulnerability in IAX2 | |----------------------+------------------------------------------------ -| | Nature of Advisory | Remote Crash | |----------------------+------------------------------------------------ -| | Susceptibility | Remote Unauthenticated Sessions | |----------------------+------------------------------------------------ -| | Severity | Major | |----------------------+------------------------------------------------ -| | Exploits Known | No | |----------------------+------------------------------------------------ -| | Reported On | November 22, 2008 | |----------------------+------------------------------------------------ -| | Reported By |Jon Leren Scho/pzinsky | |----------------------+------------------------------------------------ -| | Posted On | | |----------------------+------------------------------------------------ -| | Last Updated On | December 9, 2008 | |----------------------+------------------------------------------------ -| | Advisory Contact | Mark Michelson <mmichelson AT digium DOT com> | |----------------------+------------------------------------------------ -| | CVE Name | | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Description | There is a possibility to remotely crash an Asterisk | | | server if the server is configured to use realtime IAX2 | | | users. The issue occurs if either an unknown user | | | attempts to authenticate or if a user that uses hostname | | | matching attempts to authenticate. | | | | | | The problem was due to a broken function call to | | | Asterisk's realtime configuration API. | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Resolution | The function calls in question have been fixed. | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Affected Versions | |----------------------------------------------------------------------- -| | Product | Release Series | | |---------------------------------+----------------+-------------------- -| | Asterisk Open Source | 1.2.x | 1.2.26-1.2.30.3 | |---------------------------------+----------------+-------------------- -| | Asterisk Open Source | 1.4.x | Unaffected | |---------------------------------+----------------+-------------------- -| | Asterisk Open Source | 1.6.x | Unaffected | |---------------------------------+----------------+-------------------- -| | Asterisk Addons | 1.2.x | Unaffected | |---------------------------------+----------------+-------------------- -| | Asterisk Addons | 1.4.x | Unaffected | |---------------------------------+----------------+-------------------- -| | Asterisk Addons | 1.6.x | Unaffected | |---------------------------------+----------------+-------------------- -| | Asterisk Business Edition | A.x.x | Unaffected | |---------------------------------+----------------+-------------------- -| | Asterisk Business Edition | B.x.x | B.2.3.5-B.2.5.5 | |---------------------------------+----------------+-------------------- -| | Asterisk Business Edition | C.x.x | Unaffected | |---------------------------------+----------------+-------------------- -| | AsteriskNOW | 1.5 | Unaffected | |---------------------------------+----------------+-------------------- -| | s800i (Asterisk Appliance) | 1.2.x | Unaffected | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Corrected In | |----------------------------------------------------------------------- -| | Product | Release | |--------------------------------------------+-------------------------- -| | Asterisk Open Source | 1.2.30.4 | |--------------------------------------------+-------------------------- -| | Asterisk Business Edition | B.2.5.6 | |--------------------------------------------+-------------------------- -| +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Links | | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/security/AST-2008-012.pdf and | | http://downloads.digium.com/pub/security/AST-2008-012.html | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Revision History | |----------------------------------------------------------------------- -| | Date | Editor | Revisions Made | |--------------------+-----------------+-------------------------------- -| | November 23, 2008 | Mark Michelson | Initial draft | |--------------------+-----------------+-------------------------------- -| | December 9, 2008 | Mark Michelson | Added "Corrected In" versions | +----------------------------------------------------------------------- -+ Asterisk Project Security Advisory - AST-2008-012 Copyright (c) 2008 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.