Hosting Provided By
ASA-2007-015: Remote Crash Vulnerability in IAX2 channel driver

From: Kevin P. Fleming <kpfleming(at)digium.com>
Date: Tue Jul 17 2007 - 18:57:44 EDT
Asterisk Project Security Advisory - ASA-2007-015
+------------------------------------------------------------------------+
   |      Product       | Asterisk                                          |
   |--------------------+---------------------------------------------------|
   |      Summary       | Remote Crash Vulnerability in IAX2 channel driver |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Denial of Service                                 |
   |--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote Unauthenticated Sessions                   |
   |--------------------+---------------------------------------------------|
   |      Severity      | Critical                                          |
   |--------------------+---------------------------------------------------|
   |   Exploits Known   | No                                                |
   |--------------------+---------------------------------------------------|
   |    Reported On     | July 13, 2007                                     |
   |--------------------+---------------------------------------------------|
   |    Reported By     | Chris Clark and Zane Lackey, iSEC Partners        |
   |--------------------+---------------------------------------------------|
   |     Posted On      | July 17, 2007                                     |
   |--------------------+---------------------------------------------------|
   |  Last Updated On   | July 17, 2007                                     |
   |--------------------+---------------------------------------------------|
   |  Advisory Contact  | Russell Bryant                |
   |--------------------+---------------------------------------------------|
   |      CVE Name      | CVE-2007-3763                                     |
Do you need help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek

   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+

   | Description | The Asterisk IAX2 channel driver, chan_iax2, has a       |
   |             | remotely exploitable crash vulnerability. A NULL pointer |
   |             | exception can occur when Asterisk receives a LAGRQ or    |
   |             | LAGRP frame that is part of a valid session and includes |
   |             | information elements. The session used to exploit this   |
   |             | issue does not have to be authenticated. It can simply   |
   |             | be a NEW packet sent with an invalid username.           |
   |             |                                                          |
   |             | The code that parses the incoming frame correctly parses |
   |             | the information elements of IAX frames. It then sets a   |
   |             | pointer to NULL to indicate that there is not a raw data |
   |             | payload associated with this frame. However, it does not |
   |             | set the variable that indicates the number of bytes in   |
   |             | the raw payload back to zero. Since the raw data length  |
   |             | is non-zero, the code handling LAGRQ and LAGRP frames    |
   |             | tries to copy data from a NULL pointer, causing a crash. |

   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+

   | Resolution | All users that have chan_iax2 enabled should upgrade to   |
   |            | the appropriate version listed in the corrected in        |
   |            | section of this advisory.                                 |

   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+

   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |             Product              |   Release   |                       |
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
   |                                  |   Series    |                       |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.0.x    | All versions          |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.2.x    | All versions prior to |
   |                                  |             | 1.2.22                |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.4.x    | All versions prior to |
   |                                  |             | 1.4.8                 |
   |----------------------------------+-------------+-----------------------|
   |    Asterisk Business Edition     |    A.x.x    | All versions          |
   |----------------------------------+-------------+-----------------------|
   |    Asterisk Business Edition     |    B.x.x    | All versions prior to |
   |                                  |             | B.2.2.1               |
   |----------------------------------+-------------+-----------------------|
   |           AsteriskNOW            | pre-release | All versions prior to |
   |                                  |             | beta7                 |
   |----------------------------------+-------------+-----------------------|
   | Asterisk Appliance Developer Kit |    0.x.x    | All versions prior to |
   |                                  |             | 0.5.0                 |
   |----------------------------------+-------------+-----------------------|
   |    s800i (Asterisk Appliance)    |    1.0.x    | All versions prior to |
   |                                  |             | 1.0.2                 |
Can we help you? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek

   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+

   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |      Product      |                      Release                       |
   |-------------------+----------------------------------------------------|
   |   Asterisk Open   |          1.2.22 and 1.4.8, available from          |
   |      Source       |    
ftp://ftp.digium.com/pub/telephony/asterisk     |
   |-------------------+----------------------------------------------------|
   | Asterisk Business |   B.2.2.1, available from the Asterisk Business    |
   |      Edition      |  Edition user portal on 
http://www.digium.com or   |
   |                   |                                                    |
   |                   |            via Digium Technical Support            |
   |-------------------+----------------------------------------------------|
   |    AsteriskNOW    | Beta7, available from 
http://www.asterisknow.org/. |
   |                   | Beta5 and Beta6 users can update using the system  |
   |                   |   update feature in the appliance control panel.   |
   |-------------------+----------------------------------------------------|
   |     Asterisk      |               0.5.0, available from                |
   |     Appliance     |                                                    |
   |   Developer Kit   |      
ftp://ftp.digium.com/pub/telephony/aadk/      |
   |-------------------+----------------------------------------------------|
   |  s800i (Asterisk  |                       1.0.2                        |
   |    Appliance)     |                                                    |

   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+

   |        Links        |                                                  |

   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+

   | Asterisk Project Security Advisories are posted at                     |
Can't find what you're looking for? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
   | 
http://www.asterisk.org/security.                                      |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | 
http://ftp.digium.com/pub/asa/ASA-2007-015.pdf.                        |

   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+

   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |       Date        |         Editor          |      Revisions Made      |
   |-------------------+-------------------------+--------------------------|
   | July 17, 2007     | russell@digium.com      | Initial Release          |

   +------------------------------------------------------------------------+


               Asterisk Project Security Advisory - ASA-2007-015
              Copyright (c) 2007 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.
Received on Wed Jul 18 12:38:22 2007
This message: [ Message body ]
Next message: ak(at)red-database-security.com: "Oracle Security: SQL Injection in package DBMS_PRVTAQIS"
Previous message: ak(at)red-database-security.com: "Oracle Security: Insert / Update / Delete Data via Views"
Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]
This archive was generated by hypermail 2.1.8 : Sun Oct 28 2007 - 06:09:40 EDT