AST-2009-005: Remote Crash Vulnerability in SIP channel driver

2009.08.14
Credit: Asterisk Security Team
Risk: High
Local: No
Remote: Yes
CVE: CVE-2009-2726
CWE: CWE-399


CVSS Base Score: 7.8/10
Impact Subscore: 6.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

Asterisk Project Security Advisory - AST-2009-005 +----------------------------------------------------------------------- -+ | Product | Asterisk | |---------------------+------------------------------------------------- -| | Summary | Remote Crash Vulnerability in SIP channel driver | |---------------------+------------------------------------------------- -| | Nature of Advisory | Denial of Service | |---------------------+------------------------------------------------- -| | Susceptibility | Remote Unauthenticated Sessions | |---------------------+------------------------------------------------- -| | Severity | Critical in 1.6.1; minor in lesser versions | |---------------------+------------------------------------------------- -| | Exploits Known | No | |---------------------+------------------------------------------------- -| | Reported On | July 28, 2009 | |---------------------+------------------------------------------------- -| | Reported By | Nick Baggott < nbaggott AT mudynamics DOT com > | |---------------------+------------------------------------------------- -| | Posted On | August 10, 2009 | |---------------------+------------------------------------------------- -| | Last Updated On | August 10, 2009 | |---------------------+------------------------------------------------- -| | Advisory Contact | Tilghman Lesher < tlesher AT digium DOT com > | |---------------------+------------------------------------------------- -| | CVE Name | CVE-2009-2726 | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Description | On certain implementations of libc, the scanf family of | | | functions uses an unbounded amount of stack memory to | | | repeatedly allocate string buffers prior to conversion | | | to the target type. Coupled with Asterisk's allocation | | | of thread stack sizes that are smaller than the default, | | | an attacker may exhaust stack memory in the SIP stack | | | network thread by presenting excessively long numeric | | | strings in various fields. | | | | | | Note that while this potential vulnerability has existed | | | in Asterisk for a very long time, it is only potentially | | | exploitable in 1.6.1 and above, since those versions are | | | the first that have allowed SIP packets to exceed 1500 | | | bytes total, which does not permit strings that are | | | large enough to crash Asterisk. (The number strings | | | presented to us by the security researcher were | | | approximately 32,000 bytes long.) | | | | | | Additionally note that while this can crash Asterisk, | | | execution of arbitrary code is not possible with this | | | vector. | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Resolution | Upgrade Asterisk to one of the releases listed below. | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Affected Versions | |----------------------------------------------------------------------- -| | Product | Release | | | | Series | | |----------------------------+------------+----------------------------- -| | Asterisk Open Source | 1.2.x | All versions prior to 1.2.34 | |----------------------------+------------+----------------------------- -| | Asterisk Open Source | 1.4.x | All versions prior to | | | | 1.4.26.1 | |----------------------------+------------+----------------------------- -| | Asterisk Open Source | 1.6.0.x | All versions prior to | | | | 1.6.0.12 | |----------------------------+------------+----------------------------- -| | Asterisk Open Source | 1.6.1.x | All versions prior to | | | | 1.6.1.4 | |----------------------------+------------+----------------------------- -| | Asterisk Addons | 1.2.x | Not affected | |----------------------------+------------+----------------------------- -| | Asterisk Addons | 1.4.x | Not affected | |----------------------------+------------+----------------------------- -| | Asterisk Addons | 1.6.0.x | Not affected | |----------------------------+------------+----------------------------- -| | Asterisk Addons | 1.6.1.x | Not affected | |----------------------------+------------+----------------------------- -| | Asterisk Business Edition | A.x.x | All versions | |----------------------------+------------+----------------------------- -| | Asterisk Business Edition | B.x.x | All versions prior to | | | | B.2.5.9 | |----------------------------+------------+----------------------------- -| | Asterisk Business Edition | C.2.x | All versions prior to | | | | C.2.4.1 | |----------------------------+------------+----------------------------- -| | Asterisk Business Edition | C.3.x | All versions prior to C.3.1 | |----------------------------+------------+----------------------------- -| | AsteriskNOW | 1.5 | Not affected | |----------------------------+------------+----------------------------- -| | s800i (Asterisk Appliance) | 1.2.x | All versions prior to | | | | 1.3.0.3 | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Corrected In | |----------------------------------------------------------------------- -| | Product | Release | |---------------------------------------------+------------------------- -| | Asterisk Open Source | 1.2.34 | |---------------------------------------------+------------------------- -| | Asterisk Open Source | 1.4.26.1 | |---------------------------------------------+------------------------- -| | Asterisk Open Source | 1.6.0.12 | |---------------------------------------------+------------------------- -| | Asterisk Open Source | 1.6.1.4 | |---------------------------------------------+------------------------- -| | Asterisk Business Edition | B.2.5.9 | |---------------------------------------------+------------------------- -| | Asterisk Business Edition | C.2.4.1 | |---------------------------------------------+------------------------- -| | Asterisk Business Edition | C.3.1 | |---------------------------------------------+------------------------- -| | s800i (Asterisk Appliance) | 1.3.0.3 | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- ----+ | Patches | |----------------------------------------------------------------------- ----| | Link |Branch| |--------------------------------------------------------------------+-- ----| |http://downloads.digium.com/pub/security/AST-2009-005-1.2.diff.txt |1.2 | |--------------------------------------------------------------------+-- ----| |http://downloads.digium.com/pub/security/AST-2009-005-1.4.diff.txt |1.4 | |--------------------------------------------------------------------+-- ----| |http://downloads.digium.com/pub/security/AST-2009-005-trunk.diff.txt|tr unk | |--------------------------------------------------------------------+-- ----| |http://downloads.digium.com/pub/security/AST-2009-005-1.6.0.diff.txt|1. 6.0 | |--------------------------------------------------------------------+-- ----| |http://downloads.digium.com/pub/security/AST-2009-005-1.6.1.diff.txt|1. 6.1 | |--------------------------------------------------------------------+-- ----| |http://downloads.digium.com/pub/security/AST-2009-005-1.6.2.diff.txt|1. 6.2 | +----------------------------------------------------------------------- ----+ +----------------------------------------------------------------------- -+ | Links | http://labs.mudynamics.com/advisories/MU-200908-01.txt | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/security/AST-2009-005.pdf and | | http://downloads.digium.com/pub/security/AST-2009-005.html | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Revision History | |----------------------------------------------------------------------- -| | Date | Editor | Revisions Made | |---------------------+----------------------+-------------------------- -| | August 10, 2009 | Tilghman Lesher | Initial release | +----------------------------------------------------------------------- -+ Asterisk Project Security Advisory - AST-2009-005 Copyright (c) 2009 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.

References:

http://www.vupen.com/english/advisories/2009/2229
http://www.securitytracker.com/id?1022705
http://www.securityfocus.com/bid/36015
http://www.securityfocus.com/archive/1/archive/1/505669/100/0/threaded
http://secunia.com/advisories/36227
http://labs.mudynamics.com/advisories/MU-200908-01.txt
http://do2000wnloads.digium.com/pub/security/AST-2009-005.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top