[asterisk-dev] AST-2011-003:
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Fri Mar 18 15:04:01 CDT 2011
On Wed, Mar 16, 2011 at 05:50:30PM -0500, Asterisk Security Team wrote:
> Product Asterisk
> Summary Resource exhaustion in Asterisk Manager Interface
> Nature of Advisory Denial of Service
> Susceptibility Remote Unauthenticated Sessions if manager interface is
> accessible
> Severity Moderate
> Exploits Known No
> Reported On March 1, 2011
> Reported By Blake Cornell <blake at remoteorigin.com>
> Posted On March 16, 2011
> Last Updated On March 14, 2011
> Advisory Contact Terry Wilson <twilson at digium.com>
>
>
>
> Rapidly opening manager connections, sending invalid data, and
> Description closing the connection can cause Asterisk to exhaust available
> CPU and memory resources. The manager interface is disabled by
> default.
>
>
>
> Resolution Failed writes to manager clients are flagged and the connection
> closed.
>
>
>
> Affected Versions
> Product Release Series
> Asterisk Open Source 1.6.1.x All versions
> Asterisk Open Source 1.6.2.x All versions
> Asterisk Open Source 1.8.x All versions
What about 1.4 ?
I'm looking at the code there, and it seems that the same loop is
basically there.
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the asterisk-dev
mailing list