+-----------------------------------------------------------------------
-+
| Product | Asterisk |
|--------------------+--------------------------------------------------
-|
| Summary | Remote Crash Vulnerability in STUN implementation |
|--------------------+--------------------------------------------------
-|
| Nature of Advisory | Denial of Service |
|--------------------+--------------------------------------------------
-|
| Susceptibility | Remote Unauthenticated Sessions |
|--------------------+--------------------------------------------------
-|
| Severity | Critical |
|--------------------+--------------------------------------------------
-|
| Exploits Known | No |
|--------------------+--------------------------------------------------
-|
| Reported On | July 13, 2007 |
|--------------------+--------------------------------------------------
-|
| Reported By | Will Drewry, Google Security Team |
|--------------------+--------------------------------------------------
-|
| Posted On | July 17, 2007 |
|--------------------+--------------------------------------------------
-|
| Last Updated On | July 17, 2007 |
|--------------------+--------------------------------------------------
-|
| Advisory Contact | Joshua Colp <jcolp (at) digium (dot) com [email concealed]> |
|--------------------+--------------------------------------------------
-|
| CVE Name | CVE-2007-3765 |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Description | The Asterisk STUN implementation in the RTP stack has a |
| | remotely exploitable crash vulnerability. A pointer may |
| | run past accessible memory if Asterisk receives a |
| | specially crafted STUN packet on an active RTP port. |
| | |
| | The code that parses the incoming STUN packets |
| | incorrectly checks that the length indicated in the STUN |
| | attribute and the size of the STUN attribute header does |
| | not exceed the available data. This will cause the data |
| | pointer to run past accessible memory and when accessed |
| | will cause a crash. |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Resolution | All users that have chan_sip, chan_gtalk, chan_jingle, |
| | chan_h323, chan_mgcp, or chan_skinny enabled on an |
| | affected version should upgrade to the appropriate |
| | version listed in the correct in section of this |
| | advisory. |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security. |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://ftp.digium.com/pub/asa/ASA-2007-017.pdf. |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Revision History |
|-----------------------------------------------------------------------
-|
| Date | Editor | Revisions Made |
|--------------------+-----------------------+--------------------------
-|
| July 17, 2006 | jcolp (at) digium (dot) com [email concealed] | Initial Release |
+-----------------------------------------------------------------------
-+
Asterisk Project Security Advisory - ASA-2007-017
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
+-----------------------------------------------------------------------
-+
| Product | Asterisk |
|--------------------+--------------------------------------------------
-|
| Summary | Remote Crash Vulnerability in STUN implementation |
|--------------------+--------------------------------------------------
-|
| Nature of Advisory | Denial of Service |
|--------------------+--------------------------------------------------
-|
| Susceptibility | Remote Unauthenticated Sessions |
|--------------------+--------------------------------------------------
-|
| Severity | Critical |
|--------------------+--------------------------------------------------
-|
| Exploits Known | No |
|--------------------+--------------------------------------------------
-|
| Reported On | July 13, 2007 |
|--------------------+--------------------------------------------------
-|
| Reported By | Will Drewry, Google Security Team |
|--------------------+--------------------------------------------------
-|
| Posted On | July 17, 2007 |
|--------------------+--------------------------------------------------
-|
| Last Updated On | July 17, 2007 |
|--------------------+--------------------------------------------------
-|
| Advisory Contact | Joshua Colp <jcolp (at) digium (dot) com [email concealed]> |
|--------------------+--------------------------------------------------
-|
| CVE Name | CVE-2007-3765 |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Description | The Asterisk STUN implementation in the RTP stack has a |
| | remotely exploitable crash vulnerability. A pointer may |
| | run past accessible memory if Asterisk receives a |
| | specially crafted STUN packet on an active RTP port. |
| | |
| | The code that parses the incoming STUN packets |
| | incorrectly checks that the length indicated in the STUN |
| | attribute and the size of the STUN attribute header does |
| | not exceed the available data. This will cause the data |
| | pointer to run past accessible memory and when accessed |
| | will cause a crash. |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Resolution | All users that have chan_sip, chan_gtalk, chan_jingle, |
| | chan_h323, chan_mgcp, or chan_skinny enabled on an |
| | affected version should upgrade to the appropriate |
| | version listed in the correct in section of this |
| | advisory. |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Affected Versions |
|-----------------------------------------------------------------------
-|
| Product | Release | |
| | Series | |
|----------------------------------+-------------+----------------------
-|
| Asterisk Open Source | 1.0.x | None affected |
|----------------------------------+-------------+----------------------
-|
| Asterisk Open Source | 1.2.x | None affected |
|----------------------------------+-------------+----------------------
-|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.8 |
|----------------------------------+-------------+----------------------
-|
| Asterisk Business Edition | A.x.x | None affected |
|----------------------------------+-------------+----------------------
-|
| Asterisk Business Edition | B.x.x | None affected |
|----------------------------------+-------------+----------------------
-|
| AsteriskNOW | pre-release | All versions prior to |
| | | beta7 |
|----------------------------------+-------------+----------------------
-|
| Asterisk Appliance Developer Kit | 0.x.x | All versions prior to |
| | | 0.5.0 |
|----------------------------------+-------------+----------------------
-|
| s800i (Asterisk Appliance) | 1.0.x | All versions prior to |
| | | 1.0.2 |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Corrected In |
|-----------------------------------------------------------------------
-|
| Product | Release |
|-----------------+-----------------------------------------------------
-|
| Asterisk Open | 1.4.8 available from |
| Source | ftp://ftp.digium.com/pub/telephony/asterisk |
|-----------------+-----------------------------------------------------
-|
| AsteriskNOW | Beta7, available from http://www.asterisknow.org/. |
| | Beta5 and Beta6 users can update using the system |
| | update feature in the appliance control panel. |
|-----------------+-----------------------------------------------------
-|
| Asterisk | 0.5.0, available from |
| Appliance | ftp://ftp.digium.com/pub/telephony/aadk/ |
| Developer Kit | |
|-----------------+-----------------------------------------------------
-|
| s800i (Asterisk | 1.0.2 |
| Appliance) | |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Links | |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security. |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://ftp.digium.com/pub/asa/ASA-2007-017.pdf. |
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Revision History |
|-----------------------------------------------------------------------
-|
| Date | Editor | Revisions Made |
|--------------------+-----------------------+--------------------------
-|
| July 17, 2006 | jcolp (at) digium (dot) com [email concealed] | Initial Release |
+-----------------------------------------------------------------------
-+
Asterisk Project Security Advisory - ASA-2007-017
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
[ reply ]