[asterisk-announce] AST-2007-024 - Fallacious security advisory spread on the Internet involving buffer overflow in Zaptel's sethdlc application

The Asterisk Development Team security at asterisk.org
Thu Nov 8 16:02:07 CST 2007


                Asterisk Project Security Advisory - AST-2007-024

    +------------------------------------------------------------------------+
    |      Product       | Zaptel                                            |
    |--------------------+---------------------------------------------------|
    |      Summary       | Potential buffer overflow from command line       |
    |                    | application "sethdlc"                             |
    |--------------------+---------------------------------------------------|
    | Nature of Advisory | Buffer overflow                                   |
    |--------------------+---------------------------------------------------|
    |   Susceptibility   | Local sessions                                    |
    |--------------------+---------------------------------------------------|
    |      Severity      | None                                              |
    |--------------------+---------------------------------------------------|
    |   Exploits Known   | None                                              |
    |--------------------+---------------------------------------------------|
    |    Reported On     | October 31, 2007                                  |
    |--------------------+---------------------------------------------------|
    |    Reported By     | Michael Bucko <michael DOT bucko AT eleytt DOT    |
    |                    | com>                                              |
    |--------------------+---------------------------------------------------|
    |     Posted On      | October 31, 2007                                  |
    |--------------------+---------------------------------------------------|
    |  Last Updated On   | November 1, 2007                                  |
    |--------------------+---------------------------------------------------|
    |  Advisory Contact  | Mark Michelson <mmichelson AT digium DOT com>     |
    |--------------------+---------------------------------------------------|
    |      CVE Name      | CVE-2007-5690                                     |
    +------------------------------------------------------------------------+

    +------------------------------------------------------------------------+
    | Description | This advisory is a response to a false security          |
    |             | vulnerability published in several places on the         |
    |             | Internet. Had Asterisk's developers been notified prior  |
    |             | to its publication, there would be no need for this.     |
    |             |                                                          |
    |             | There is a potential for a buffer overflow in the        |
    |             | sethdlc application; however, running this application   |
    |             | requires root access to the server, which means that     |
    |             | exploiting this vulnerability gains the attacker no more |
    |             | advantage than what he already has. As such, this is a   |
    |             | bug, not a security vulnerability.                       |
    +------------------------------------------------------------------------+

    +------------------------------------------------------------------------+
    | Resolution | The copy of the user-provided argument to the buffer has  |
    |            | been limited to the length of the buffer. This fix has    |
    |            | been committed to the Zaptel 1.2 and 1.4 repositories,    |
    |            | but due to the lack of severity, new releases will not be |
    |            | immediately made.                                         |
    |            |                                                           |
    |            | While we appreciate this programming error being brought  |
    |            | to our attention, we would encourage security researchers |
    |            | to contact us prior to releasing any reports of their     |
    |            | own, both so that we can fix any vulnerability found      |
    |            | prior to the release of an announcement, as well as       |
    |            | avoiding these types of mistakes (and the potential       |
    |            | embarrassment of reporting a vulnerability that wasn't)   |
    |            | in the future.                                            |
    +------------------------------------------------------------------------+

    +------------------------------------------------------------------------+
    |                           Affected Versions                            |
    |------------------------------------------------------------------------|
    |     Product     | Release Series |                                     |
    |-----------------+----------------+-------------------------------------|
    |     Zaptel      |     1.2.x      | All versions prior to 1.2.22        |
    |-----------------+----------------+-------------------------------------|
    |     Zaptel      |     1.4.x      | All versions prior to 1.4.7         |
    +------------------------------------------------------------------------+

    +------------------------------------------------------------------------+
    |                              Corrected In                              |
    |------------------------------------------------------------------------|
    |          Product           |                  Release                  |
    |----------------------------+-------------------------------------------|
    |           Zaptel           |          1.2.22, when available           |
    |----------------------------+-------------------------------------------|
    |           Zaptel           |           1.4.7, when available           |
    |----------------------------+-------------------------------------------|
    +------------------------------------------------------------------------+

    +------------------------------------------------------------------------+
    |Links |http://archives.neohapsis.com/archives/bugtraq/2007-10/0316.html |
    +------------------------------------------------------------------------+

    +------------------------------------------------------------------------+
    | Asterisk Project Security Advisories are posted at                     |
    | http://www.asterisk.org/security.                                      |
    |                                                                        |
    | This document may be superseded by later versions; if so, the latest   |
    | version will be posted at                                              |
    | http://downloads.digium.com/pub/security/AST-2007-024.pdf and          |
    | http://downloads.digium.com/pub/security/AST-2007-024.html.            |
    +------------------------------------------------------------------------+

    +------------------------------------------------------------------------+
    |                            Revision History                            |
    |------------------------------------------------------------------------|
    |    Date    |     Editor     |              Revisions Made              |
    |------------+----------------+------------------------------------------|
    | 10/31/2007 | Mark Michelson | Initial release                          |
    |------------+----------------+------------------------------------------|
    | 10/31/2007 | Mark Michelson | Changed severity, description, and       |
    |            |                | resolution                               |
    +------------------------------------------------------------------------+

                Asterisk Project Security Advisory - AST-2007-024
               Copyright (c) 2007 Digium, Inc. All Rights Reserved.
   Permission is hereby granted to distribute and publish this advisory in its
                            original, unaltered form.



More information about the asterisk-announce mailing list