[asterisk-users] ASA-2007-013: IAX2 users can cause
unauthorizeddata disclosure
Dovid B
asteriskusers at dovid.net
Sat May 5 20:58:07 MST 2007
Has 1.2.19 been released ?
----- Original Message -----
From: "Kevin P. Fleming" <kpfleming at digium.com>
To: <undisclosed-recipients:>
Sent: Friday, May 04, 2007 12:20 PM
Subject: [asterisk-users] ASA-2007-013: IAX2 users can cause
unauthorizeddata disclosure
>> Asterisk Project Security Advisory - ASA-2007-013
>>
>>
>> +----------------------------------------------------------------------------------+
>> | Product | Asterisk
>> |
>>
>> |----------------------+-----------------------------------------------------------|
>> | Summary | IAX2 users can cause unauthorized data
>> disclosure |
>>
>> |----------------------+-----------------------------------------------------------|
>> | Nature of Advisory | Unauthorized information disclosure
>> |
>>
>> |----------------------+-----------------------------------------------------------|
>> | Susceptibility | Remote authenticated sessions
>> |
>>
>> |----------------------+-----------------------------------------------------------|
>> | Severity | Low
>> |
>>
>> |----------------------+-----------------------------------------------------------|
>> | Exploits Known | No
>> |
>>
>> |----------------------+-----------------------------------------------------------|
>> | Reported On | April 27, 2007
>> |
>>
>> |----------------------+-----------------------------------------------------------|
>> | Reported By | Tim Panton, Mexuar, <tim at mexuar.com>
>> |
>> | |
>> |
>> | | Birgit Arkesteijn, Westhawk,
>> <birgit at westhawk.co.uk> |
>>
>> |----------------------+-----------------------------------------------------------|
>> | Posted On | May 4, 2007
>> |
>>
>> |----------------------+-----------------------------------------------------------|
>> | Last Updated On | May 4, 2007
>> |
>>
>> |----------------------+-----------------------------------------------------------|
>> | Advisory Contact | kpfleming at digium.com
>> |
>>
>> |----------------------+-----------------------------------------------------------|
>> | CVE Name | CVE-2007-2488
>> |
>>
>> +----------------------------------------------------------------------------------+
>>
>>
>> +----------------------------------------------------------------------------------+
>> | Description | > From: Tim Panton <tim at mexuar.com>
>> |
>> | |
>> |
>> | | > Date: 27 April 2007 08:02:36 BDT
>> |
>> | |
>> |
>> | | > To: "Kevin P. Fleming" <kpfleming at digium.com>
>> |
>> | |
>> |
>> | | > Subject: Possible IAX2 vulnerability (Minor)
>> |
>> | |
>> |
>> | | >
>> |
>> | |
>> |
>> | | > We've stumbled on a bug in the way Asterisk's IAX2
>> handles text |
>> | |
>> |
>> | | > frames.
>> |
>> | |
>> |
>> | | > I'm emailing you because it is a borderline security
>> |
>> | | vulnerability,
>> |
>> | |
>> |
>> | | > and my
>> |
>> | |
>> |
>> | | > friends in the security world tell me that I should
>> notify the |
>> | |
>> |
>> | | > vendor privately
>> |
>> | |
>> |
>> | | > first. If you feel it isn't a security issue, let me
>> know and |
>> | | I'll
>> |
>> | |
>> |
>> | | > put it in mantis.
>> |
>> | |
>> |
>> | | >
>> |
>> | |
>> |
>> | | > chan_iax2 assumes that the content of a text frame
>> is a null |
>> | |
>> |
>> | | > terminated
>> |
>> | |
>> |
>> | | > string (C style), and when time comes to forward the
>> string it |
>> | | uses
>> |
>> | |
>> |
>> | | > strlen
>> |
>> | |
>> |
>> | | > to determine the message length.
>> |
>> | |
>> |
>> | | >
>> |
>> | |
>> |
>> | | > If you send a frame without a 0 byte in it, Asterisk
>> forwards a |
>> | |
>> |
>> | | > frame that
>> |
>> | |
>> |
>> | | > includes the sent data and some extra (presumably
>> heap) data. |
>> | |
>> |
>> | | >
>> |
>> | |
>> |
>> | | > If an attacker were lucky, the extra data could
>> contain |
>> | | something
>> |
>> | |
>> |
>> | | > interesting.
>> |
>> | |
>> |
>> | | > Or conceivably it could cause a segmentation
>> violation. |
>>
>> +----------------------------------------------------------------------------------+
>>
>>
>> +----------------------------------------------------------------------------------+
>> | Resolution | Asterisk code has been modified to enforce
>> null-termination of |
>> | | incoming text frames received by the IAX2 channel
>> driver |
>> | | (chan_iax2). When text frames are received without
>> |
>> | | null-termination, this may result in the last byte of
>> data in the |
>> | | frame being lost, if the IAX2 reception process does
>> not have space |
>> | | in its receive buffer to add a null character.
>> |
>> | |
>> |
>> | | As this vulnerability is of 'low' severity, it does not
>> justify new |
>> | | releases of Asterisk solely for mitigating its impact.
>> The fix for |
>> | | this vulnerability has been committed to the Asterisk
>> Subversion |
>> | | source code repositories and is available to all users
>> who wish to |
>> | | upgrade to a prerelease checkout of the respective
>> development |
>> | | branch for their release series of Asterisk. All other
>> users can |
>> | | upgrade when the next regularly scheduled release of
>> their product |
>> | | is produced.
>> |
>>
>> +----------------------------------------------------------------------------------+
>>
>>
>> +----------------------------------------------------------------------------------+
>> | Affected Versions
>> |
>>
>> |----------------------------------------------------------------------------------|
>> | Product | Release |
>> |
>> | | Series |
>> |
>>
>> |----------------------------------+-------------+---------------------------------|
>> | Asterisk Open Source | 1.0.x | has not been
>> evaluated as this |
>> | | | release series is
>> no longer |
>> | | | maintained
>> |
>>
>> |----------------------------------+-------------+---------------------------------|
>> | Asterisk Open Source | 1.2.x | all releases prior
>> to 1.2.19 |
>>
>> |----------------------------------+-------------+---------------------------------|
>> | Asterisk Open Source | 1.4.x | all releases prior
>> to 1.4.4 |
>>
>> |----------------------------------+-------------+---------------------------------|
>> | Asterisk Business Edition | A.x.x | all releases
>> |
>>
>> |----------------------------------+-------------+---------------------------------|
>> | Asterisk Business Edition | B.x.x | all releases prior
>> to B.2.1 |
>>
>> |----------------------------------+-------------+---------------------------------|
>> | AsteriskNOW | pre-release | all releases prior
>> to and |
>> | | | including Beta 5
>> |
>>
>> |----------------------------------+-------------+---------------------------------|
>> | Asterisk Appliance Developer Kit | 0.x.x | all releases prior
>> to 0.4.1 |
>>
>> +----------------------------------------------------------------------------------+
>>
>>
>> +----------------------------------------------------------------------------------+
>> | Corrected In
>> |
>>
>> |----------------------------------------------------------------------------------|
>> | Product | Release
>> |
>>
>> |----------------------+-----------------------------------------------------------|
>> | Asterisk Open Source | 1.2.19 and 1.4.4 will be available
>> from |
>> | | ftp://ftp.digium.com/pub/telephony/asterisk
>> when released |
>>
>> |----------------------+-----------------------------------------------------------|
>> | Asterisk Business | B.2.1, will be available from the Asterisk
>> Business |
>> | Edition | Edition user portal on
>> http://www.digium.com or via |
>> | | Digium Technical Support when
>> released |
>>
>> |----------------------+-----------------------------------------------------------|
>> | AsteriskNOW | Beta 6, when available from
>> http://www.asterisknow.org, |
>> | | Beta 5 users can use 'System Update' in the
>> appliance |
>> | | control panel to update their version of
>> AsteriskNOW when |
>> | | Asterisk 1.4.4 has been released
>> |
>>
>> |----------------------+-----------------------------------------------------------|
>> | Asterisk Appliance | 0.4.1, will be available from
>> |
>> | Developer Kit | ftp://ftp.digium.com/pub/telephony/aadk
>> when released |
>>
>> +----------------------------------------------------------------------------------+
>>
>>
>> +----------------------------------------------------------------------------------+
>> | Links | http://bugs.digium.com/view.php?id=9638
>> |
>>
>> +----------------------------------------------------------------------------------+
>>
>>
>> +----------------------------------------------------------------------------------+
>> | Asterisk Project Security Advisories are posted at
>> |
>> | http://www.asterisk.org/security.
>> |
>> |
>> |
>> | This document may be superseded by later versions; if so, the latest
>> version |
>> | will be posted at http://ftp.digium.com/pub/asa/ASA-2007-013.pdf.
>> |
>>
>> +----------------------------------------------------------------------------------+
>>
>>
>> +----------------------------------------------------------------------------------+
>> | Revision History
>> |
>>
>> |----------------------------------------------------------------------------------|
>> | Date | Editor | Revisions
>> Made |
>>
>> |-------------------+-----------------------------+--------------------------------|
>> | May 4, 2007 | kpfleming at digium.com | initial release
>> |
>>
>> +----------------------------------------------------------------------------------+
>>
>> Asterisk Project Security Advisory - ASA-2007-013
>> Copyright (c) 2007 Digium, Inc. All Rights Reserved.
>> Permission is hereby granted to distribute and publish this advisory in
>> its original,
>> unaltered form.
> _______________________________________________
> --Bandwidth and Colocation provided by Easynews.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
>
More information about the asterisk-users
mailing list