This is a multi-part message in MIME format. ------=_NextPart_000_00B4_01C76A58.D4117A50 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit MADYNES Security Advisory http://madynes.loria.fr Title: Asterisk SIP INVITE remote DOS Release Date: 08/03/2007 Severity: High - Denial of Service Advisory ID:KIPH1 Software: Asterisk http://www.asterisk.org/ AsteriskR is a complete IP PBX in software. It runs on a wide variety of operating systems including Linux, Mac OS X, OpenBSD, FreeBSD and Sun Solaris and provides all of the features you would expect from a PBX including many advanced features that are often associated with high end (and high cost) proprietary PBXs. AsteriskR supports Voice over IP in many protocols, and can interoperate with almost all standards-based telephony equipment using relatively inexpensive hardware. Affected Versions: Asterisk 1.2.14, 1.2.15, 1.2.16 Asterisk 1.4.1 probably previous versions also Unaffected Versions: Trunk version to date (13/03/2007) Vulnerability Synopsis: After sending a crafted INVITE message the software finish abruptly its execution with a Segmentation Fault provoking a Denial of Service (DoS) in all the services provided by the entity. Impact: A remote individual can remotely crash and perform a Denial of Service(DoS) attack in all the services provided by the software by sending one crafted SIP INVITE message. This is conceptually similar to the "ping of death". Resolution: The problem has been fixed in Asterisk versions 1.4.2 and 1.2.17, which is released today 19/03/2007 Vulnerability Description: After sending a crafted message the software crash abruptly. The message in this case is an anonymous INVITE where the SDP contains 2 connection headers. The first one must be valid and the second not where the IP address should be invalid. The callee needs not to be a valid user or dialplan. In case where asterisk is set to disallow anonymous call, a valid user and password should be known, and while responding the corresponding INVITE challenge the information should be crafted as above. After this crafted SIP INVITE message, the affected software crash immediately. Proof of Concept Code: available Credits: Humberto J. Abdelnur (Ph.D Student) Radu State (Ph.D) Olivier Festor (Ph.D) This vulnerability was identified by the Madynes research team at INRIA Lorraine, using the Madynes VoIP fuzzer. http://madynes.loria.fr/ Disclosure Distribution: The advisory will be posted on the following websites: 1) Asterisk's website 2) http://madynes.loria.fr website The advisory will be posted to the following mailing lists: 1) full-disclosure@lists.grok.org.uk 2) voipsec@vopisa.org ------=_NextPart_000_00B4_01C76A58.D4117A50 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

MADYNES Security Advisory

 

http://madynes.loria.fr

 

 

Title: = Asterisk SIP INVITE remote DOS 

 

Release Date:

      = 08/03/2007

 

Severity:

      High - Denial of  Service

 

Advisory ID:KIPH1

 

Software:

      = Asterisk

      http://www.asterisk.org/

 

Asterisk® is a complete IP PBX in software. It runs on a wide variety of operating systems including Linux, Mac OS X, OpenBSD, FreeBSD and Sun Solaris and provides all of the features you would expect from a PBX including many advanced features that are often associated with high end (and high = cost) proprietary PBXs. Asterisk® supports Voice over IP in many = protocols, and can interoperate with almost all standards-based telephony equipment using relatively inexpensive hardware.

 

Affected Versions:

      Asterisk 1.2.14, 1.2.15, 1.2.16

      Asterisk 1.4.1

      probably previous versions also

 

Unaffected Versions: Trunk version to date = (13/03/2007)

 

Vulnerability Synopsis: After sending a crafted INVITE message the software finish = abruptly its execution with a Segmentation Fault provoking a Denial of Service = (DoS) in all the services provided by the entity.

 

Impact: A remote individual can remotely crash and perform a Denial of = Service(DoS) attack in all the services provided by the software by sending one crafted SIP = INVITE message. This is conceptually similar to the "ping of death". =

 

Resolution: The problem has been fixed in Asterisk versions 1.4.2 and 1.2.17, which is released = today 19/03/2007

 

Vulnerability Description: After sending a crafted message the software crash = abruptly. The message in this case is an anonymous INVITE where the SDP contains 2 = connection headers. The first one must be valid and the second not where the IP = address should be invalid. The callee needs not to be a valid user or dialplan. = In case where asterisk is set to disallow anonymous call, a valid user and = password should be known, and while responding the corresponding INVITE challenge = the information should be crafted as above. After this crafted SIP INVITE = message, the affected software crash immediately.

 

Proof = of Concept Code: available

 

Credits:

      Humberto J. Abdelnur (Ph.D Student)

      Radu = State (Ph.D)

      Olivier Festor (Ph.D)

      This vulnerability was identified by the Madynes research team at = INRIA

      Lorraine, = using the Madynes VoIP fuzzer.

      http://madynes.loria.fr/

 

 

Disclosure Distribution:

      The advisory will be posted on the following = websites:

 

      1)    Asterisk's website

      2)    = http://madynes.loria.fr website

 

      The advisory will be posted to the following mailing = lists:

 

      1)    = full-disclosure@lists.grok.org.uk

      2)    = voipsec@vopisa.org

 

------=_NextPart_000_00B4_01C76A58.D4117A50--