Bug#415466: asterisk: SIP INVITE DoS,
supposedly fixed in 1.4.2 and 1.2.17,
which is released today 19/03/2007
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Mon Mar 19 22:23:27 UTC 2007
TODO: prepare an Etch upload with this fix and the previous one (the
small patch required for 1.2.16).
On Mon, Mar 19, 2007 at 08:32:15PM +0100, Jeroen Massar wrote:
> Package: asterisk
> Version: 1:1.2.16~dfsg-1
> Severity: grave
> Tags: security
> Justification: user security hole
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> As found on Full-Disclosure:
>
> MADYNES Security Advisory
>
> http://madynes.loria.fr
>
> Title: Asterisk SIP INVITE remote DOS
>
> Release Date:
> 08/03/2007
>
> Severity:
> High - Denial of Service
>
> Advisory ID:KIPH1
>
> Software:
> Asterisk
> http://www.asterisk.org/
>
> Asterisk® is a complete IP PBX in software. It runs on a wide variety of
> operating systems including Linux, Mac OS X, OpenBSD, FreeBSD and Sun
> Solaris and provides all of the features you would expect from a PBX
> including many advanced features that are often associated with high end
> (and high cost) proprietary PBXs. Asterisk® supports Voice over IP in
> many protocols, and can interoperate with almost all standards-based
> telephony equipment using relatively inexpensive hardware.
>
> Affected Versions:
> Asterisk 1.2.14, 1.2.15, 1.2.16
> Asterisk 1.4.1
> probably previous versions also
>
> Unaffected Versions: Trunk version to date (13/03/2007)
>
> Vulnerability Synopsis: After sending a crafted INVITE message the
> software finish abruptly its execution with a Segmentation Fault
> provoking a Denial of Service (DoS) in all the services provided by the
> entity.
>
> Impact: A remote individual can remotely crash and perform a Denial of
> Service(DoS) attack in all the services provided by the software by
> sending one crafted SIP INVITE message. This is conceptually similar to
> the "ping of death".
>
> Resolution: The problem has been fixed in Asterisk versions 1.4.2 and
> 1.2.17, which is released today 19/03/2007
>
> Vulnerability Description: After sending a crafted message the software
> crash abruptly. The message in this case is an anonymous INVITE where
> the SDP contains 2 connection headers. The first one must be valid and
> the second not where the IP address should be invalid. The callee needs
> not to be a valid user or dialplan. In case where asterisk is set to
> disallow anonymous call, a valid user and password should be known, and
> while responding the corresponding INVITE challenge the information
> should be crafted as above. After this crafted SIP INVITE message, the
> affected software crash immediately.
>
> Proof of Concept Code: available
>
> - -- System Information:
> Debian Release: 4.0
> APT prefers unstable
> APT policy: (500, 'unstable'), (500, 'testing')
> Architecture: amd64 (x86_64)
> Shell: /bin/sh linked to /bin/bash
> Kernel: Linux 2.6.16-2-amd64-k8
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
>
> Versions of packages asterisk depends on:
> ii adduser 3.102 Add and remove users and groups
> ii asterisk-classic 1:1.2.16~dfsg-1 Open Source Private Branch Exchang
>
> asterisk recommends no packages.
>
> - -- no debconf information
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Jeroen Massar / http://unfix.org/~jeroen/
>
> iD8DBQFF/uU/KaooUjM+fCMRApYTAJwKry/srbQguiOQCXx6TebC91ElRwCdHI3q
> rMztHiJpx7NAIJ0F2gP/TJ0=
> =yEsw
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Pkg-voip-maintainers mailing list
> Pkg-voip-maintainers at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-voip-maintainers
>
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir at jabber.org
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the Pkg-voip-maintainers
mailing list