[asterisk-bugs] [JIRA] (ASTERISK-20967) Security Vulnerability: DoS attack possible due to fix for CVE-2012-5976

Matt Jordan (JIRA) noreply at issues.asterisk.org
Wed Mar 27 16:00:02 CDT 2013 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-20967?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Matt Jordan updated ASTERISK-20967:
-----------------------------------

    Target Release Version/s: 1.8.20.2
                              10.12.2
                              10.12.2-digiumphones
                              11.2.2
    
> Security Vulnerability: DoS attack possible due to fix for CVE-2012-5976
> ------------------------------------------------------------------------
>
>                 Key: ASTERISK-20967
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-20967
>             Project: Asterisk
>          Issue Type: Bug
>          Components: Channels/chan_sip/TCP-TLS
>    Affects Versions: 1.8.19.1, 1.8.20.0, 10.11.1, 10.11.1-digiumphones, 10.12.0, 10.12.0-digiumphones, 11.1.2, 11.2.0
>            Reporter: Matt Jordan
>      Target Release: 1.8.20.2, 10.12.2, 10.12.2-digiumphones, 11.2.2
>
>         Attachments: AST-2013-002-10.diff, AST-2013-002-11.diff, AST-2013-002-1.8.diff, issueA20967_file_leak_and_unused_wkspace.patch
>
>
> {quote}
> When researching CVE-2012-5976 in HTTP, I came across a DoS possible on the patched versions of Asterisk.  It is based on the user-controlled malloc(), which replaced the alloca() in http.c.  An attacker can use the Content-length: header to control the amount of heap allocated and exhaust the memory available to Asterisk.
> I have attached our disclosure and a PoC for your convenience.  The PoC uses a number of concurrent connections but with a bit more effort could probably use a probing scheme and then get away with one or very few connections.  Also, note that filling up the memory is not necessary to effect a temporary DoS i.e. an attack would be possible over a low-bandwidth connection.  The PoC does fill the buffer to demonstrate that the server process will be terminated by the OS in this case.
> Christoph Hebeisen
> {quote}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list