[asterisk-dev] AST-2012-008: Skinny Channel Driver Remote Crash Vulnerability

Asterisk Security Team security at asterisk.org
Tue May 29 16:55:46 CDT 2012

               Asterisk Project Security Advisory - AST-2012-008

          Product         Asterisk                                            
          Summary         Skinny Channel Driver Remote Crash Vulnerability    
     Nature of Advisory   Denial of Service                                   
       Susceptibility     Remote authenticated sessions                       
          Severity        Minor                                               
       Exploits Known     No                                                  
        Reported On       May 22, 2012                                        
        Reported By       Christoph Hebeisen                                  
         Posted On        May 29, 2012                                        
      Last Updated On     May 29, 2012                                        
      Advisory Contact    Matt Jordan < mjordan AT digium DOT com >           
          CVE Name        CVE-2012-2948                                       

    Description  As reported by Telus Labs:                                   
                 "A Null-pointer dereference has been identified in the SCCP  
                 (Skinny) channel driver of Asterisk. When an SCCP client     
                 closes its connection to the server, a pointer in a          
                 structure is set to Null. If the client was not in the       
                 on-hook state at the time the connection was closed, this    
                 pointer is later dereferenced.                               
                 A remote attacker with a valid SCCP ID can can use this      
                 vulnerability by closing a connection to the Asterisk        
                 server in certain call states (e.g. "Off hook") to crash     
                 the server. Successful exploitation of this vulnerability    
                 would result in termination of the server, causing denial    
                 of service to legitimate users."                             

    Resolution  The pointer to the device in the structure is now checked     
                before it is dereferenced in the channel event callbacks and  
                message handling functions.                                   

                               Affected Versions
                Product              Release Series  
         Asterisk Open Source            1.8.x       All Versions             
         Asterisk Open Source             10.x       All Versions             
          Certified Asterisk          1.8.11-cert    1.8.11-cert1             

                                  Corrected In
                   Product                              Release               
            Asterisk Open Source         , 10.4.1           
             Certified Asterisk                      1.8.11-cert2             

                                SVN URL                                    Revision   
http://downloads.asterisk.org/pub/security/AST-2012-008-1.8.diff         v1.8         
http://downloads.asterisk.org/pub/security/AST-2012-008-10.diff          v10          
http://downloads.asterisk.org/pub/security/AST-2012-008-1.8.11-cert.diff v1.8.11-cert 

       Links     https://issues.asterisk.org/jira/browse/ASTERISK-19905       

    Asterisk Project Security Advisories are posted at                        
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    http://downloads.digium.com/pub/security/AST-2012-008.pdf and             

                                Revision History
          Date                  Editor                 Revisions Made         
    05/25/2012         Matt Jordan               Initial Release              

               Asterisk Project Security Advisory - AST-2012-008
              Copyright (c) 2012 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

More information about the asterisk-dev mailing list