Asterisk Project Security Advisory - ASA-2007-013
+----------------------------------------------------------------------------------+
| Product | Asterisk
|
|----------------------+-----------------------------------------------------------|
| Summary | IAX2 users can cause unauthorized data
disclosure |
|----------------------+-----------------------------------------------------------|
| Nature of Advisory | Unauthorized information disclosure
|
|----------------------+-----------------------------------------------------------|
| Susceptibility | Remote authenticated sessions
|
|----------------------+-----------------------------------------------------------|
| Severity | Low
|
|----------------------+-----------------------------------------------------------|
| Exploits Known | No
|
|----------------------+-----------------------------------------------------------|
| Reported On | April 27, 2007
|
|----------------------+-----------------------------------------------------------|
| Reported By | Tim Panton, Mexuar, <[EMAIL PROTECTED]>
|
| |
|
| | Birgit Arkesteijn, Westhawk,
<[EMAIL PROTECTED]> |
|----------------------+-----------------------------------------------------------|
| Posted On | May 4, 2007
|
|----------------------+-----------------------------------------------------------|
| Last Updated On | May 4, 2007
|
|----------------------+-----------------------------------------------------------|
| Advisory Contact | [EMAIL PROTECTED]
|
|----------------------+-----------------------------------------------------------|
| CVE Name | CVE-2007-2488
|
+----------------------------------------------------------------------------------+
+----------------------------------------------------------------------------------+
| Description | > From: Tim Panton <[EMAIL PROTECTED]>
|
| |
|
| | > Date: 27 April 2007 08:02:36 BDT
|
| |
|
| | > To: "Kevin P. Fleming" <[EMAIL PROTECTED]>
|
| |
|
| | > Subject: Possible IAX2 vulnerability (Minor)
|
| |
|
| | >
|
| |
|
| | > We've stumbled on a bug in the way Asterisk's IAX2
handles text |
| |
|
| | > frames.
|
| |
|
| | > I'm emailing you because it is a borderline security
|
| | vulnerability,
|
| |
|
| | > and my
|
| |
|
| | > friends in the security world tell me that I should
notify the |
| |
|
| | > vendor privately
|
| |
|
| | > first. If you feel it isn't a security issue, let me
know and |
| | I'll
|
| |
|
| | > put it in mantis.
|
| |
|
| | >
|
| |
|
| | > chan_iax2 assumes that the content of a text frame
is a null |
| |
|
| | > terminated
|
| |
|
| | > string (C style), and when time comes to forward the
string it |
| | uses
|
| |
|
| | > strlen
|
| |
|
| | > to determine the message length.
|
| |
|
| | >
|
| |
|
| | > If you send a frame without a 0 byte in it, Asterisk
forwards a |
| |
|
| | > frame that
|
| |
|
| | > includes the sent data and some extra (presumably
heap) data. |
| |
|
| | >
|
| |
|
| | > If an attacker were lucky, the extra data could
contain |
| | something
|
| |
|
| | > interesting.
|
| |
|
| | > Or conceivably it could cause a segmentation
violation. |
+----------------------------------------------------------------------------------+
+----------------------------------------------------------------------------------+
| Resolution | Asterisk code has been modified to enforce
null-termination of |
| | incoming text frames received by the IAX2 channel
driver |
| | (chan_iax2). When text frames are received without
|
| | null-termination, this may result in the last byte of
data in the |
| | frame being lost, if the IAX2 reception process does
not have space |
| | in its receive buffer to add a null character.
|
| |
|
| | As this vulnerability is of 'low' severity, it does not
justify new |
| | releases of Asterisk solely for mitigating its impact.
The fix for |
| | this vulnerability has been committed to the Asterisk
Subversion |
| | source code repositories and is available to all users
who wish to |
| | upgrade to a prerelease checkout of the respective
development |
| | branch for their release series of Asterisk. All other
users can |
| | upgrade when the next regularly scheduled release of
their product |
| | is produced.
|
+----------------------------------------------------------------------------------+
+----------------------------------------------------------------------------------+
| Affected Versions
|
|----------------------------------------------------------------------------------|
| Product | Release |
|
| | Series |
|
|----------------------------------+-------------+---------------------------------|
| Asterisk Open Source | 1.0.x | has not been
evaluated as this |
| | | release series is
no longer |
| | | maintained
|
|----------------------------------+-------------+---------------------------------|
| Asterisk Open Source | 1.2.x | all releases prior
to 1.2.19 |
|----------------------------------+-------------+---------------------------------|
| Asterisk Open Source | 1.4.x | all releases prior
to 1.4.4 |
|----------------------------------+-------------+---------------------------------|
| Asterisk Business Edition | A.x.x | all releases
|
|----------------------------------+-------------+---------------------------------|
| Asterisk Business Edition | B.x.x | all releases prior
to B.2.1 |
|----------------------------------+-------------+---------------------------------|
| AsteriskNOW | pre-release | all releases prior
to and |
| | | including Beta 5
|
|----------------------------------+-------------+---------------------------------|
| Asterisk Appliance Developer Kit | 0.x.x | all releases prior
to 0.4.1 |
+----------------------------------------------------------------------------------+
+----------------------------------------------------------------------------------+
| Corrected In
|
|----------------------------------------------------------------------------------|
| Product | Release
|
|----------------------+-----------------------------------------------------------|
| Asterisk Open Source | 1.2.19 and 1.4.4 will be available
from |
| | ftp://ftp.digium.com/pub/telephony/asterisk
when released |
|----------------------+-----------------------------------------------------------|
| Asterisk Business | B.2.1, will be available from the Asterisk
Business |
| Edition | Edition user portal on
http://www.digium.com or via |
| | Digium Technical Support when
released |
|----------------------+-----------------------------------------------------------|
| AsteriskNOW | Beta 6, when available from
http://www.asterisknow.org, |
| | Beta 5 users can use 'System Update' in the
appliance |
| | control panel to update their version of
AsteriskNOW when |
| | Asterisk 1.4.4 has been released
|
|----------------------+-----------------------------------------------------------|
| Asterisk Appliance | 0.4.1, will be available from
|
| Developer Kit | ftp://ftp.digium.com/pub/telephony/aadk
when released |
+----------------------------------------------------------------------------------+
+----------------------------------------------------------------------------------+
| Links | http://bugs.digium.com/view.php?id=9638
|
+----------------------------------------------------------------------------------+
+----------------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at
|
| http://www.asterisk.org/security.
|
|
|
| This document may be superseded by later versions; if so, the latest
version |
| will be posted at http://ftp.digium.com/pub/asa/ASA-2007-013.pdf.
|
+----------------------------------------------------------------------------------+
+----------------------------------------------------------------------------------+
| Revision History
|
|----------------------------------------------------------------------------------|
| Date | Editor | Revisions
Made |
|-------------------+-----------------------------+--------------------------------|
| May 4, 2007 | [EMAIL PROTECTED] | initial release
|
+----------------------------------------------------------------------------------+
Asterisk Project Security Advisory - ASA-2007-013
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in
its original,
unaltered form.
