Bug#415466: asterisk: SIP INVITE DoS, supposedly fixed in 1.4.2 and 1.2.17, which is released today 19/03/2007

Jeroen Massar jeroen at unfix.org
Mon Mar 19 20:32:15 UTC 2007 

Package: asterisk
Version: 1:1.2.16~dfsg-1
Severity: grave
Tags: security
Justification: user security hole

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


As found on Full-Disclosure:

MADYNES Security Advisory

http://madynes.loria.fr

Title: Asterisk SIP INVITE remote DOS 

Release Date:
      08/03/2007

Severity:
      High - Denial of  Service

Advisory ID:KIPH1

Software:
      Asterisk
      http://www.asterisk.org/

Asterisk® is a complete IP PBX in software. It runs on a wide variety of
operating systems including Linux, Mac OS X, OpenBSD, FreeBSD and Sun
Solaris and provides all of the features you would expect from a PBX
including many advanced features that are often associated with high end
(and high cost) proprietary PBXs. Asterisk® supports Voice over IP in
many protocols, and can interoperate with almost all standards-based
telephony equipment using relatively inexpensive hardware.

Affected Versions:
      Asterisk 1.2.14, 1.2.15, 1.2.16
      Asterisk 1.4.1
      probably previous versions also

Unaffected Versions: Trunk version to date (13/03/2007)

Vulnerability Synopsis: After sending a crafted INVITE message the
software finish abruptly its execution with a Segmentation Fault
provoking a Denial of Service (DoS) in all the services provided by the
entity.

Impact: A remote individual can remotely crash and perform a Denial of
Service(DoS) attack in all the services provided by the software by
sending one crafted SIP INVITE message. This is conceptually similar to
the "ping of death".

Resolution: The problem has been fixed in Asterisk versions 1.4.2 and
1.2.17, which is released today 19/03/2007

Vulnerability Description: After sending a crafted message the software
crash abruptly. The message in this case is an anonymous INVITE where
the SDP contains 2 connection headers. The first one must be valid and
the second not where the IP address should be invalid. The callee needs
not to be a valid user or dialplan. In case where asterisk is set to
disallow anonymous call, a valid user and password should be known, and
while responding the corresponding INVITE challenge the information
should be crafted as above. After this crafted SIP INVITE message, the
affected software crash immediately.

Proof of Concept Code: available

- -- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-2-amd64-k8
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages asterisk depends on:
ii  adduser                  3.102           Add and remove users and groups
ii  asterisk-classic         1:1.2.16~dfsg-1 Open Source Private Branch Exchang

asterisk recommends no packages.

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Jeroen Massar / http://unfix.org/~jeroen/

iD8DBQFF/uU/KaooUjM+fCMRApYTAJwKry/srbQguiOQCXx6TebC91ElRwCdHI3q
rMztHiJpx7NAIJ0F2gP/TJ0=
=yEsw
-----END PGP SIGNATURE-----

More information about the Pkg-voip-maintainers mailing list