Asterisk security : AST-2009-004: Remote Crash Vulnerability in RTP stack

Today (2009-09-03), a vulnerability was discoved in asterisk RTP stack and may allow a remote user to make your server crash by sending malformed RTP packets.

Only 1.6.1 versions are affected. Please upgrade. Here is the full vulnerability release.

Asterisk Project Security Advisory - AST-2009-004

+————————————————————————+
|       Product        | Asterisk                                        |
|———————-+————————————————-|
|       Summary        | Remote Crash Vulnerability in RTP stack         |
|———————-+————————————————-|
|  Nature of Advisory  | Exploitable Crash                               |
|———————-+————————————————-|
|    Susceptibility    | Remote unauthenticated sessions                 |
|———————-+————————————————-|
|       Severity       | Critical                                        |
|———————-+————————————————-|
|    Exploits Known    | No                                              |
|———————-+————————————————-|
|     Reported On      | July 27, 2009                                   |
|———————-+————————————————-|
|     Reported By      | Marcus Hunger <hunger AT sipgate DOT de>        |
|———————-+————————————————-|
|      Posted On       | August 2, 2009                                  |
|———————-+————————————————-|
|   Last Updated On    | August 2, 2009                                  |
|———————-+————————————————-|
|   Advisory Contact   | Mark Michelson <mmichelson AT digium DOT com>   |
|———————-+————————————————-|
|       CVE Name       |                                                 |
+————————————————————————+

+————————————————————————+
| Description | An attacker can cause Asterisk to crash remotely by      |
|             | sending malformed RTP text frames. While the attacker    |
|             | can cause Asterisk to crash, he cannot execute arbitrary |
|             | remote code with this exploit.                           |
+————————————————————————+

+————————————————————————+
| Resolution | Users should upgrade to a version listed in the           |
|            | “Corrected In” section below.                             |
+————————————————————————+

+————————————————————————+
|                           Affected Versions                            |
|————————————————————————|
|            Product            | Release Series |                       |
|——————————-+—————-+———————–|
|     Asterisk Open Source      |     1.2.x      | Unaffected            |
|——————————-+—————-+———————–|
|     Asterisk Open Source      |     1.4.x      | Unaffected            |
|——————————-+—————-+———————–|
|     Asterisk Open Source      |     1.6.x      | All 1.6.1 versions    |
|——————————-+—————-+———————–|
|        Asterisk Addons        |     1.2.x      | Unaffected            |
|——————————-+—————-+———————–|
|        Asterisk Addons        |     1.4.x      | Unaffected            |
|——————————-+—————-+———————–|
|        Asterisk Addons        |     1.6.x      | Unaffected            |
|——————————-+—————-+———————–|
|   Asterisk Business Edition   |     A.x.x      | Unaffected            |
|——————————-+—————-+———————–|
|   Asterisk Business Edition   |     B.x.x      | Unaffected            |
|——————————-+—————-+———————–|
|   Asterisk Business Edition   |     C.x.x      | Unaffected            |
|——————————-+—————-+———————–|
|          AsteriskNOW          |      1.5       | Unaffected            |
|——————————-+—————-+———————–|
|  s800i (Asterisk Appliance)   |     1.2.x      | Unaffected            |
+————————————————————————+

+————————————————————————+
|                              Corrected In                              |
|————————————————————————|
|                   Product                   |         Release          |
|———————————————+————————–|
|         Open Source Asterisk 1.6.1          |         1.6.1.2          |
|———————————————+————————–|
|———————————————+————————–|
+————————————————————————+

+—————————————————————————-+
|                                  Patches                                   |
|—————————————————————————-|
|                              SVN URL                               |Version|
|——————————————————————–+——-|
|http://downloads.digium.com/pub/security/AST-2009-004-1.6.1.diff.txt| 1.6.1 |
|——————————————————————–+——-|
+—————————————————————————-+

+————————————————————————+
|        Links        |                                                  |
+————————————————————————+

+————————————————————————+
| Asterisk Project Security Advisories are posted at                     |
| http://www.asterisk.org/security |
|                                                                        |
| This document may be superseded by later versions; if so, the latest   |
| version will be posted at                                              |
| http://downloads.digium.com/pub/security/AST-2009-004.pdf and          |
| http://downloads.digium.com/pub/security/AST-2009-004.html |
+————————————————————————+

+————————————————————————+
|                            Revision History                            |
|————————————————————————|
|      Date      |     Editor      |           Revisions Made            |
|—————-+—————–+————————————-|
| 27 Jul, 2009   | Mark Michelson  | Initial Draft                       |
|—————-+—————–+————————————-|
| 31 Jul, 2009   | Mark Michelson  | Added sentence about how remote     |
|                |                 | code cannot be executed.            |
|—————-+—————–+————————————-|
| August 2, 2009 | Tilghman Lesher | Public release                      |
+————————————————————————+

Asterisk Project Security Advisory - AST-2009-004
Copyright (c) 2009 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

August 3, 2009 | Filed Under Tricks 

Comments

Leave a Reply