BugTraq
AST-2008-010: Asterisk IAX 'POKE' resource exhaustion Jul 22 2008 11:15PM
Asterisk Security Team (security asterisk org)
Asterisk Project Security Advisory - AST-2008-010

+-----------------------------------------------------------------------
-+
| Product | Asterisk |
|----------------------+------------------------------------------------
-|
| Summary | Asterisk IAX 'POKE' resource exhaustion |
|----------------------+------------------------------------------------
-|
| Nature of Advisory | Denial of service |
|----------------------+------------------------------------------------
-|
| Susceptibility | Remote Unauthenticated Sessions |
|----------------------+------------------------------------------------
-|
| Severity | Critical |
|----------------------+------------------------------------------------
-|
| Exploits Known | Yes |
|----------------------+------------------------------------------------
-|
| Reported On | July 18, 2008 |
|----------------------+------------------------------------------------
-|
| Reported By | Jeremy McNamara < jj AT nufone DOT net > |
|----------------------+------------------------------------------------
-|
| Posted On | July 22, 2008 |
|----------------------+------------------------------------------------
-|
| Last Updated On | July 22, 2008 |
|----------------------+------------------------------------------------
-|
| Advisory Contact | Tilghman Lesher < tlesher AT digium DOT com > |
|----------------------+------------------------------------------------
-|
| CVE Name | CVE-2008-3263 |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Description | By flooding an Asterisk server with IAX2 'POKE' |
| | requests, an attacker may eat up all call numbers |
| | associated with the IAX2 protocol on an Asterisk server |
| | and prevent other IAX2 calls from getting through. Due |
| | to the nature of the protocol, IAX2 POKE calls will |
| | expect an ACK packet in response to the PONG packet sent |
| | in response to the POKE. While waiting for this ACK |
| | packet, this dialog consumes an IAX2 call number, as the |
| | ACK packet must contain the same call number as was |
| | allocated and sent in the PONG. |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Resolution | The implementation has been changed to no longer allocate |
| | an IAX2 call number for POKE requests. Instead, call |
| | number 1 has been reserved for all responses to POKE |
| | requests, and ACK packets referencing call number 1 will |
| | be silently dropped. |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
----------------------------------------------------------+
|Commentary|This vulnerability was reported to us without exploit code, less than two days before public release, with exploit |
| |code. Additionally, we were not informed of the public release of the exploit code and only learned this fact from a |
| |third party. We reiterate that this is irresponsible security disclosure, and we recommend that in the future, |
| |adequate time be given to fix any such vulnerability. Recommended reading: |
| |http://www.oisafety.org/guidelines/Guidelines%20for%20Security%20Vulner
ability%20Reporting%20and%20Response%20V2.0.pdf|
+-----------------------------------------------------------------------
----------------------------------------------------------+

+-----------------------------------------------------------------------
-+
| Affected Versions |
|-----------------------------------------------------------------------
-|
| Product | Release | |
| | Series | |
|----------------------------------+-------------+----------------------
-|
| Asterisk Open Source | 1.0.x | All versions |
|----------------------------------+-------------+----------------------
-|
| Asterisk Open Source | 1.2.x | All versions prior to |
| | | 1.2.30 |
|----------------------------------+-------------+----------------------
-|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.21.2 |
|----------------------------------+-------------+----------------------
-|
| Asterisk Addons | 1.2.x | Not affected |
|----------------------------------+-------------+----------------------
-|
| Asterisk Addons | 1.4.x | Not affected |
|----------------------------------+-------------+----------------------
-|
| Asterisk Business Edition | A.x.x | All versions |
|----------------------------------+-------------+----------------------
-|
| Asterisk Business Edition | B.x.x.x | All versions prior to |
| | | B.2.5.4 |
|----------------------------------+-------------+----------------------
-|
| Asterisk Business Edition | C.x.x.x | All versions prior to |
| | | C.1.10.3 |
|----------------------------------+-------------+----------------------
-|
| AsteriskNOW | pre-release | All versions |
|----------------------------------+-------------+----------------------
-|
| Asterisk Appliance Developer Kit | 0.x.x | All versions |
|----------------------------------+-------------+----------------------
-|
| s800i (Asterisk Appliance) | 1.0.x | All versions prior to |
| | | 1.2.0.1 |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Corrected In |
|-----------------------------------------------------------------------
-|
| Product | Release |
|---------------------------------------------+-------------------------
-|
| Asterisk Open Source | 1.2.30 |
|---------------------------------------------+-------------------------
-|
| Asterisk Open Source | 1.4.21.2 |
|---------------------------------------------+-------------------------
-|
| Asterisk Business Edition | B.2.5.4 |
|---------------------------------------------+-------------------------
-|
| Asterisk Business Edition | C.1.10.3 |
|---------------------------------------------+-------------------------
-|
| Asterisk Business Edition | C.2.0.3 |
|---------------------------------------------+-------------------------
-|
| s800i (Asterisk Appliance) | 1.2.0.1 |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-----------------------------------------------------+
|Links|http://www.oisafety.org/guidelines/Guidelines%20for%20Security%20
Vulnerability%20Reporting%20and%20Response%20V2.0.pdf|
|-----+-----------------------------------------------------------------
-----------------------------------------------------|
| |http://www.securityfocus.com/bid/30321/info |
+-----------------------------------------------------------------------
-----------------------------------------------------+

+-----------------------------------------------------------------------
-+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2008-010.pdf and |
| http://downloads.digium.com/pub/security/AST-2008-010.html |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Revision History |
|-----------------------------------------------------------------------
-|
| Date | Editor | Revisions Made |
|-----------------+--------------------+--------------------------------
-|
| July 22, 2008 | Tilghman Lesher | Initial release |
|-----------------+--------------------+--------------------------------
-|
| July 22, 2008 | Tilghman Lesher | Revised C.1 version numbers |
+-----------------------------------------------------------------------
-+

Asterisk Project Security Advisory - AST-2008-010
Copyright (c) 2008 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus