Bug#618790: AST-2011-003: Resource exhaustion in Asterisk Manager Interface
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Fri Apr 22 06:22:57 UTC 2011
retitlle 618790 asterisk: AST-2011-005: File Descriptor Resource Exhaustion through TCP
thanks
As you may have noticed, this issue was not yet fixed. Here's a quick
update:
On Fri, Mar 18, 2011 at 02:14:20PM +0000, Tzafrir Cohen wrote:
> Package: asterisk
> Version: 1:1.6.2.9-2+squeeze2
> Justification: AST-2011-003: Resource exhaustion in Asterisk Manager Interface
> Severity: serious
> Tags: security patch upstream
>
> Rapidly opening manager connections, sending invalid data, and closing the
> connection can cause Asterisk to exhaust available CPU and memory resources.
Looking further into the issue, I realised that the fix they put there
(break the connection in case of a failed write) does not help a bit.
The real issue is that you can just open a connection, wait as long as
you want, and consume a file descriptor from Asterisk in the process.
I approached Digium with this. They took my initial fix, improved it and
started testing it. Only to realise that this also applies to other
TCP services. Which meant more patching and more testing.
While they were at it, they realised that the test in the Asterisk code
for the "system" privs in the manager interface is missing altogether in
1.4 and misses an important case in later versions. If you'll look at
the patch in it for Squeeze you'll see that Debian was missing one other
case that was already fixed upstream of some revered logic.
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the Pkg-voip-maintainers
mailing list