[asterisk-security] AST-2012-001: SRTP Video Remote Crash Vulnerability

Asterisk Security Team security at asterisk.org
Thu Jan 19 17:40:00 CST 2012


               Asterisk Project Security Advisory - AST-2012-001

   +------------------------------------------------------------------------+
   |       Product        | Asterisk                                        |
   |----------------------+-------------------------------------------------|
   |       Summary        | SRTP Video Remote Crash Vulnerability           |
   |----------------------+-------------------------------------------------|
   |  Nature of Advisory  | Denial of Service                               |
   |----------------------+-------------------------------------------------|
   |    Susceptibility    | Remote unauthenticated sessions                 |
   |----------------------+-------------------------------------------------|
   |       Severity       | Moderate                                        |
   |----------------------+-------------------------------------------------|
   |    Exploits Known    | No                                              |
   |----------------------+-------------------------------------------------|
   |     Reported On      | 2012-01-15                                      |
   |----------------------+-------------------------------------------------|
   |     Reported By      | Catalin Sanda                                   |
   |----------------------+-------------------------------------------------|
   |      Posted On       | 2012-01-19                                      |
   |----------------------+-------------------------------------------------|
   |   Last Updated On    | January 19, 2012                                |
   |----------------------+-------------------------------------------------|
   |   Advisory Contact   | Joshua Colp < jcolp AT digium DOT com >         |
   |----------------------+-------------------------------------------------|
   |       CVE Name       |                                                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | An attacker attempting to negotiate a secure video       |
   |             | stream can crash Asterisk if video support has not been  |
   |             | enabled and the res_srtp Asterisk module is loaded.      |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | Upgrade to one of the versions of Asterisk listed in the  |
   |            | "Corrected In" section, or apply a patch specified in the |
   |            | "Patches" section.                                        |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |            Product            | Release Series |                       |
   |-------------------------------+----------------+-----------------------|
   |     Asterisk Open Source      |     1.8.x      | All versions          |
   |-------------------------------+----------------+-----------------------|
   |     Asterisk Open Source      |      10.x      | All versions          |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |                 Product                  |           Release           |
   |------------------------------------------+-----------------------------|
   |           Asterisk Open Source           |           1.8.8.2           |
   |------------------------------------------+-----------------------------|
   |           Asterisk Open Source           |           10.0.1            |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                                Patches                                 |
   |------------------------------------------------------------------------|
   |                             SVN URL                             |Branch|
   |-----------------------------------------------------------------+------|
   |http://downloads.asterisk.org/pub/security/AST-2012-001-1.8.diff |v1.8  |
   |-----------------------------------------------------------------+------|
   |http://downloads.asterisk.org/pub/security/AST-2012-001-10.diff  |v10   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |   Links   | https://issues.asterisk.org/jira/browse/ASTERISK-19202     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2012-001.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2012-001.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |      Date       |       Editor       |         Revisions Made          |
   |-----------------+--------------------+---------------------------------|
   | 12-01-19        | Joshua Colp        | Initial release                 |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2012-001
              Copyright (c) 2012 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.





More information about the asterisk-security mailing list