exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

AST-2008-006.txt

AST-2008-006.txt
Posted Apr 23, 2008
Authored by Javantea | Site asterisk.org

Asterisk Project Security Advisory - Javantea found multiple security issues in IAX2 including an incomplete 3-way handshake.

tags | advisory
advisories | CVE-2008-1897
SHA-256 | add784c1721895efd2acb383b937c9caa5e879556f5ec5e543e6590f319908a8

AST-2008-006.txt

Change Mirror Download
               Asterisk Project Security Advisory - AST-2008-006

+------------------------------------------------------------------------+
| Product | Asterisk |
|--------------------+---------------------------------------------------|
| Summary | 3-way handshake in IAX2 incomplete |
|--------------------+---------------------------------------------------|
| Nature of Advisory | Remote amplification attack |
|--------------------+---------------------------------------------------|
| Susceptibility | Remote unauthenticated sessions |
|--------------------+---------------------------------------------------|
| Severity | Critical |
|--------------------+---------------------------------------------------|
| Exploits Known | Yes |
|--------------------+---------------------------------------------------|
| Reported On | April 18, 2008 |
|--------------------+---------------------------------------------------|
| Reported By | Joel R. Voss aka. Javantea < jvoss AT altsci DOT |
| | com > |
|--------------------+---------------------------------------------------|
| Posted On | April 22, 2008 |
|--------------------+---------------------------------------------------|
| Last Updated On | April 22, 2008 |
|--------------------+---------------------------------------------------|
| Advisory Contact | Tilghman Lesher < tlesher AT digium DOT com > |
|--------------------+---------------------------------------------------|
| CVE Name | CVE-2008-1897 |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Description | Javantea originally reported an issue in IAX2, whereby |
| | an attacker could send a spoofed IAX2 NEW message, and |
| | Asterisk would start sending early audio to the target |
| | address, without ever receiving an initial response. |
| | That original vulnerability was addressed in June 2007, |
| | by requiring a response to the initial NEW message |
| | before starting to send any audio. |
| | |
| | Javantea subsequently found that we were doing |
| | insufficent verification of the ACK response and that |
| | the ACK response could be spoofed, just like the initial |
| | NEW message. We have addressed this failure with two |
| | changes. First, we have started to require that the ACK |
| | response contains the unique source call number that we |
| | send in our reply to the NEW message. Any ACK response |
| | that does not contain the source call number that we |
| | have created will be silently thrown away. Second, we |
| | have made the generation of our source call number a |
| | little more difficult to predict, by randomly selecting |
| | a source call number, instead of allocating them |
| | sequentially. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Workaround | Disable remote unauthenticated IAX2 sessions, by |
| | disallowing guest access. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Resolution | Upgrade your Asterisk installation to revision 114561 or |
| | later, or install one of the releases shown below. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Commentary | We would like to thank Javantea for notifying us of this |
| | problem; however, we note that he posted exploit code |
| | prior to that notification, which is considered |
| | irresponsible behavior in the whitehat security industry. |
| | In the future, advance notice of any such release would |
| | be appreciated. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|-------------------------------+------------+---------------------------|
| Asterisk Open Source | 1.0.x | All versions |
|-------------------------------+------------+---------------------------|
| Asterisk Open Source | 1.2.x | All versions prior to |
| | | 1.2.28 |
|-------------------------------+------------+---------------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.20 |
|-------------------------------+------------+---------------------------|
| Asterisk Business Edition | A.x.x | All versions |
|-------------------------------+------------+---------------------------|
| Asterisk Business Edition | B.x.x | All versions prior to |
| | | B.2.5.2 |
|-------------------------------+------------+---------------------------|
| Asterisk Business Edition | C.x.x | All versions prior to |
| | | C.1.8.1 |
|-------------------------------+------------+---------------------------|
| AsteriskNOW | 1.0.x | All versions prior to |
| | | 1.0.3 |
|-------------------------------+------------+---------------------------|
| Asterisk Appliance Developer | 0.x.x | All versions |
| Kit | | |
|-------------------------------+------------+---------------------------|
| s800i (Asterisk Appliance) | 1.0.x | All versions prior to |
| | | 1.1.0.3 |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|---------------------------------------------+--------------------------|
| Asterisk Open Source | 1.2.28 |
|---------------------------------------------+--------------------------|
| Asterisk Open Source | 1.4.20 |
|---------------------------------------------+--------------------------|
| Asterisk Business Edition | B.2.5.2 |
|---------------------------------------------+--------------------------|
| Asterisk Business Edition | C.1.8.1 |
|---------------------------------------------+--------------------------|
| AsteriskNOW | 1.0.3 |
|---------------------------------------------+--------------------------|
| s800i (Asterisk Appliance) | 1.1.0.3 |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Links | https://www.altsci.com/concepts/page.php?s=asteri&p=2 |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2008-006.pdf and |
| http://downloads.digium.com/pub/security/AST-2008-006.html |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|---------------------+----------------------+---------------------------|
| April 22, 2008 | Tilghman Lesher | Initial release |
+------------------------------------------------------------------------+

Asterisk Project Security Advisory - AST-2008-006
Copyright (c) 2008 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    26 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    18 Files
  • 21
    Jun 21st
    8 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close