[asterisk-users] AST-2011-005: File Descriptor Resource Exhaustion

Asterisk Security Team security at asterisk.org
Thu Apr 21 16:40:25 CDT 2011


               Asterisk Project Security Advisory - AST-2011-005

        Product       Asterisk                                                
        Summary       File Descriptor Resource Exhaustion                     
   Nature of Advisory Denial of Service                                       
     Susceptibility   Remote Unauthenticated TCP Based Sessions (TCP SIP,     
                      Skinny, Asterisk Manager Interface, and HTTP sessions)  
        Severity      Moderate                                                
     Exploits Known   Yes                                                     
      Reported On     March 18, 2011                                          
      Reported By     Tzafrir Cohen < tzafrir.cohen AT xorcom DOT com >       
       Posted On      April 21, 2011                                          
    Last Updated On   April 21, 2011                                          
    Advisory Contact  Matthew Nicholson <mnicholson at digium.com>               
        CVE Name      CVE-2011-1507                                           

   Description On systems that have the Asterisk Manager Interface, Skinny,   
               SIP over TCP, or the built in HTTP server enabled, it is       
               possible for an attacker to open as many connections to        
               asterisk as he wishes. This will cause Asterisk to run out of  
               available file descriptors and stop processing any new calls.  
               Additionally, disk space can be exhausted as Asterisk logs     
               failures to open new file descriptors.                         

   Resolution Asterisk can now limit the number of unauthenticated            
              connections to each vulnerable interface and can also limit the 
              time unauthenticated clients will remain connected for some     
              interfaces. This will prevent vulnerable interfaces from using  
              up all available file descriptors. Care should be taken when    
              setting the connection limits so that the combined total of     
              allowed unauthenticated sessions from each service is not more  
              than the file descriptor limit for the Asterisk process. The    
              file descriptor limit can be checked (and set) using the        
              "ulimit -n" command for the process' limit and the              
              "/proc/sys/fs/file-max" file (on Linux) for the system's limit. 
                                                                              
              It will still be possible for an attacker to deny service to    
              each of the vulnerable services individually. To mitigate this  
              risk, vulnerable services should be run behind a firewall that  
              can detect and prevent DoS attacks.                             
                                                                              
              In addition to using a firewall to filter traffic, vulnerable   
              systems can be protected by disabling the vulnerable services   
              in their respective configuration files.                        

                               Affected Versions
                Product              Release Series 
         Asterisk Open Source            1.4.x      All versions              
         Asterisk Open Source           1.6.1.x     All versions              
         Asterisk Open Source           1.6.2.x     All versions              
         Asterisk Open Source            1.8.x      All versions              
       Asterisk Business Edition         C.x.x      All versions              

                                  Corrected In
              Product                               Release                   
        Asterisk Open Source        1.4.40.1, 1.6.1.25, 1.6.2.17.3, 1.8.3.3   
     Asterisk Business Edition                      C.3.6.4                   

                                    Patches                            
                                   URL                                 Branch 
   http://downloads.asterisk.org/pub/security/AST-2011-005-1.4.diff    1.4    
   http://downloads.asterisk.org/pub/security/AST-2011-005-1.6.1.diff  1.6.1  
   http://downloads.asterisk.org/pub/security/AST-2011-005-1.6.2.diff  1.6.2  
   http://downloads.asterisk.org/pub/security/AST-2011-005-1.8.diff    1.8    

   Asterisk Project Security Advisories are posted at                         
   http://www.asterisk.org/security                                           
                                                                              
   This document may be superseded by later versions; if so, the latest       
   version will be posted at                                                  
   http://downloads.digium.com/pub/security/AST-2011-005.pdf and              
   http://downloads.digium.com/pub/security/AST-2011-005.html                 

                                Revision History
          Date                 Editor                  Revisions Made         
   04/21/11           Matthew Nicholson        Initial version                

               Asterisk Project Security Advisory - AST-2011-005
              Copyright (c) 2011 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.




More information about the asterisk-users mailing list