AST-2009-010: RTP Remote Crash Vulnerability Nov 30 2009 09:58PM
Asterisk Security Team (security asterisk org)
Asterisk Project Security Advisory - AST-2009-010

+-----------------------------------------------------------------------
-+
| Product | Asterisk |
|----------------------+------------------------------------------------
-|
| Summary | RTP Remote Crash Vulnerability |
|----------------------+------------------------------------------------
-|
| Nature of Advisory | Denial of Service |
|----------------------+------------------------------------------------
-|
| Susceptibility | Remote unauthenticated sessions |
|----------------------+------------------------------------------------
-|
| Severity | Critical |
|----------------------+------------------------------------------------
-|
| Exploits Known | No |
|----------------------+------------------------------------------------
-|
| Reported On | November 13, 2009 |
|----------------------+------------------------------------------------
-|
| Reported By | issues.asterisk.org user amorsen |
|----------------------+------------------------------------------------
-|
| Posted On | November 30, 2009 |
|----------------------+------------------------------------------------
-|
| Last Updated On | November 30, 2009 |
|----------------------+------------------------------------------------
-|
| Advisory Contact | David Vossel < dvossel AT digium DOT com > |
|----------------------+------------------------------------------------
-|
| CVE Name | CVE-2009-4055 |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Description | An attacker sending a valid RTP comfort noise payload |
| | containing a data length of 24 bytes or greater can |
| | remotely crash Asterisk. |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Resolution | Upgrade to one of the versions of Asterisk listed in the |
| | "Corrected In" section, or apply a patch specified in the |
| | "Patches" section. |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Affected Versions |
|-----------------------------------------------------------------------
-|
| Product | Release Series | |
|----------------------------------+----------------+-------------------
-|
| Asterisk Open Source | 1.2.x | All versions |
|----------------------------------+----------------+-------------------
-|
| Asterisk Open Source | 1.4.x | All versions |
|----------------------------------+----------------+-------------------
-|
| Asterisk Open Source | 1.6.x | All versions |
|----------------------------------+----------------+-------------------
-|
| Asterisk Business Edition | B.x.x | All versions |
|----------------------------------+----------------+-------------------
-|
| Asterisk Business Edition | C.x.x | All versions |
|----------------------------------+----------------+-------------------
-|
| s800i (Asterisk Appliance) | 1.3.x | All versions |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Corrected In |
|-----------------------------------------------------------------------
-|
| Product | Release |
|---------------------------------------------+-------------------------
-|
| Asterisk Open Source | 1.2.37 |
|---------------------------------------------+-------------------------
-|
| Asterisk Open Source | 1.4.27.1 |
|---------------------------------------------+-------------------------
-|
| Asterisk Open Source | 1.6.0.19 |
|---------------------------------------------+-------------------------
-|
| Asterisk Open Source | 1.6.1.11 |
|---------------------------------------------+-------------------------
-|
| Asterisk Business Edition | B.2.5.13 |
|---------------------------------------------+-------------------------
-|
| Asterisk Business Edition | C.2.4.6 |
|---------------------------------------------+-------------------------
-|
| Asterisk Business Edition | C.3.2.3 |
|---------------------------------------------+-------------------------
-|
| S800i (Asterisk Appliance) | 1.3.0.6 |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
------+
| Patches |
|-----------------------------------------------------------------------
------|
| Link |Branch|
|----------------------------------------------------------------------+
------|
|http://downloads.asterisk.org/pub/security/AST-2009-010-1.2.diff.txt |1.2 |
|----------------------------------------------------------------------+
------|
|http://downloads.asterisk.org/pub/security/AST-2009-010-1.4.diff.txt |1.4 |
|----------------------------------------------------------------------+
------|
|http://downloads.asterisk.org/pub/security/AST-2009-010-1.6.0.diff.txt|
1.6.0 |
|----------------------------------------------------------------------+
------|
|http://downloads.asterisk.org/pub/security/AST-2009-010-1.6.1.diff.txt|
1.6.1 |
+-----------------------------------------------------------------------
------+

+-----------------------------------------------------------------------
-+
| Links | https://issues.asterisk.org/view.php?id=16242 |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2009-010.pdf and |
| http://downloads.digium.com/pub/security/AST-2009-010.html |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Revision History |
|-----------------------------------------------------------------------
-|
| Date | Editor | Revisions Made |
|------------------+---------------------+------------------------------
-|
| 2009-09-03 | David Vossel | Initial release |
+-----------------------------------------------------------------------
-+

Asterisk Project Security Advisory - AST-2009-010
Copyright (c) 2009 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus