Asterisk Project Security Advisory - AST-2012-005 Product Asterisk Summary Heap Buffer Overflow in Skinny Channel Driver Nature of Advisory Exploitable Heap Buffer Overflow Susceptibility Remote Authenticated Sessions Severity Minor Exploits Known No Reported On March 26, 2012 Reported By Russell Bryant Posted On April 23, 2012 Last Updated On April 23, 2012 Advisory Contact Matt Jordan < mjordan AT digium DOT com > CVE Name Description In the Skinny channel driver, KEYPAD_BUTTON_MESSAGE events are queued for processing in a buffer allocated on the heap, where each DTMF value that is received is placed on the end of the buffer. Since the length of the buffer is never checked, an attacker could send sufficient KEYPAD_BUTTON_MESSAGE events such that the buffer is overrun. Resolution The length of the buffer is now checked before appending a value to the end of the buffer. Affected Versions Product Release Series Asterisk Open Source 1.6.2.x All Versions Asterisk Open Source 1.8.x All Versions Asterisk Open Source 10.x All Versions Corrected In Product Release Asterisk Open Source 1.6.2.24, 1.8.11.1, 10.3.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-005-1.6.2.diff v1.6.2 http://downloads.asterisk.org/pub/security/AST-2012-005-1.8.diff v1.8 http://downloads.asterisk.org/pub/security/AST-2012-005-10.diff v10 Links https://issues.asterisk.org/jira/browse/ASTERISK-19592 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-005.pdf and http://downloads.digium.com/pub/security/AST-2012-005.html Revision History Date Editor Revisions Made 04/16/2012 Matt Jordan Initial Release Asterisk Project Security Advisory - AST-2012-005 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.