Asterisk Project Security Advisory - AST-2009-004 +------------------------------------------------------------------------+ | Product | Asterisk | |----------------------+-------------------------------------------------| | Summary | Remote Crash Vulnerability in RTP stack | |----------------------+-------------------------------------------------| | Nature of Advisory | Exploitable Crash | |----------------------+-------------------------------------------------| | Susceptibility | Remote unauthenticated sessions | |----------------------+-------------------------------------------------| | Severity | Critical | |----------------------+-------------------------------------------------| | Exploits Known | No | |----------------------+-------------------------------------------------| | Reported On | July 27, 2009 | |----------------------+-------------------------------------------------| | Reported By | Marcus Hunger | |----------------------+-------------------------------------------------| | Posted On | August 2, 2009 | |----------------------+-------------------------------------------------| | Last Updated On | August 2, 2009 | |----------------------+-------------------------------------------------| | Advisory Contact | Mark Michelson | |----------------------+-------------------------------------------------| | CVE Name | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Description | An attacker can cause Asterisk to crash remotely by | | | sending malformed RTP text frames. While the attacker | | | can cause Asterisk to crash, he cannot execute arbitrary | | | remote code with this exploit. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Resolution | Users should upgrade to a version listed in the | | | "Corrected In" section below. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Affected Versions | |------------------------------------------------------------------------| | Product | Release Series | | |-------------------------------+----------------+-----------------------| | Asterisk Open Source | 1.2.x | Unaffected | |-------------------------------+----------------+-----------------------| | Asterisk Open Source | 1.4.x | Unaffected | |-------------------------------+----------------+-----------------------| | Asterisk Open Source | 1.6.x | All 1.6.1 versions | |-------------------------------+----------------+-----------------------| | Asterisk Addons | 1.2.x | Unaffected | |-------------------------------+----------------+-----------------------| | Asterisk Addons | 1.4.x | Unaffected | |-------------------------------+----------------+-----------------------| | Asterisk Addons | 1.6.x | Unaffected | |-------------------------------+----------------+-----------------------| | Asterisk Business Edition | A.x.x | Unaffected | |-------------------------------+----------------+-----------------------| | Asterisk Business Edition | B.x.x | Unaffected | |-------------------------------+----------------+-----------------------| | Asterisk Business Edition | C.x.x | Unaffected | |-------------------------------+----------------+-----------------------| | AsteriskNOW | 1.5 | Unaffected | |-------------------------------+----------------+-----------------------| | s800i (Asterisk Appliance) | 1.2.x | Unaffected | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Corrected In | |------------------------------------------------------------------------| | Product | Release | |---------------------------------------------+--------------------------| | Open Source Asterisk 1.6.1 | 1.6.1.2 | |---------------------------------------------+--------------------------| |---------------------------------------------+--------------------------| +------------------------------------------------------------------------+ +----------------------------------------------------------------------------+ | Patches | |----------------------------------------------------------------------------| | SVN URL |Version| |--------------------------------------------------------------------+-------| |http://downloads.digium.com/pub/security/AST-2009-004-1.6.1.diff.txt| 1.6.1 | |--------------------------------------------------------------------+-------| +----------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Links | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/security/AST-2009-004.pdf and | | http://downloads.digium.com/pub/security/AST-2009-004.html | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Revision History | |------------------------------------------------------------------------| | Date | Editor | Revisions Made | |----------------+-----------------+-------------------------------------| | 27 Jul, 2009 | Mark Michelson | Initial Draft | |----------------+-----------------+-------------------------------------| | 31 Jul, 2009 | Mark Michelson | Added sentence about how remote | | | | code cannot be executed. | |----------------+-----------------+-------------------------------------| | August 2, 2009 | Tilghman Lesher | Public release | +------------------------------------------------------------------------+ Asterisk Project Security Advisory - AST-2009-004 Copyright (c) 2009 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.