Summary: | net-misc/asterisk two new remote SIP DoS (CVE-2007-15(61|94)) | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> | ||||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | minor | CC: | bernd, chainsaw, gentoo-bugzilla, gentoo, sgtphou, voip+disabled | ||||||||
Priority: | High | ||||||||||
Version: | unspecified | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
URL: | http://archives.neohapsis.com/archives/fulldisclosure/2007-03/0253.html | ||||||||||
Whiteboard: | B3 [glsa] jaervosz | ||||||||||
Package list: | Runtime testing required: | --- | |||||||||
Attachments: |
|
Description
Sune Kloppenborg Jeppesen (RETIRED)
2007-03-19 18:27:53 UTC
patch in asterisk trunk: http://svn.digium.com/view/asterisk/trunk/channels/chan_sip.c?r1=58907&r2=59038 asterisk 1.0.12 is also vulnerable but not supported upstream. i will patch in our cvs shortly. net-misc/asterisk-1.0.12-r2 with ported patch in cvs as ~x86 and ~ppc. x86 team: please test and mark stable (or drop me an email and i will do it). older 1.0.12 version is ~ppc also so nothing to be done there. asterisk-1.2.x still to be patched. I just applied the patch from comment#1 to a clean 1.2.16 and 1.4.1, it did not change anything. Asterisk still keeps crashing upon reception of such a hand crafted INVITE. I can't imagine how this patch should affect the behavior, because as I see it (with my small knowledge of C), code is inserted at a position where replies are handled. The bug must be somwhere in the process_sdp function, not in the handle_request function. Created attachment 113848 [details, diff] Patch for chan_sip to avoid crashing Further reading of the svn changelog brought me to this diff: http://svn.digium.com/view/asterisk/trunk/channels/chan_sip.c?r1=58241&r2=58592 That seems to work here. After applying the patch Asterisk returns 488 instead of crashing. I'll attach patches for asterisk 1.2.16 and 1.4.1 here. The 1.2.16 vanilla patch should work for the 1.2.14 gentoo version, too. Created attachment 113849 [details, diff]
Patch for chan_sip of Asterisk 1.4.1 to avoid crashing
Created attachment 113851 [details, diff]
chan_sip Patch for Asterisk 1.4.1
Sorry, wrong patch format first...
Add the patch posted in comment#1, too, because this prevents asterisk from crashing when receiving a return code 0. So different problem, but better to have a fix for it, too. :) asterisk-1.2.14-r2 in, tested on my hardened x86 server and sparc stable. x86 done :) Thx everyone. This one is ready for GLSA. GLSA drafted and ready for review. Note that upstream has still not released a fixed version. Sorry for the spam. New upstream version is available for download. Unfortunately it seems without much information about the DoS and still no official announcement. comment #4 is correct. hang on to the glsa for a bit until i can check 1.0.12 for that patch as well. Back to ebuild status waiting a fixed ebuild for 1.0.x. i looked through the asterisk 1.0.12 source. the call to ast_gethostbyname in process_sdp is properly checked upon return. the patch to 1.2/1.4 <http://svn.digium.com/view/asterisk/trunk/channels/chan_sip.c?r1=58241&r2=58592> adds returns in process_sdp if ast_gethostbyname fails. looks like the additional, unchecked calls to ast_gethostbyname were added to chan_sip.c in 1.2. so asterisk 1.0.12 is not vulnerable to the bug described above since it does not have the code to handle additional media types. however i did patch it for <http://bugs.digium.com/view.php?id=9313> in asterisk-1.0.12-r2, but this is just a precaution. i tried to get it to crash without the fix but could not. for the glsa, there is no need to list the 1.0.x branch. but please do note in the GLSA that there are two remote SIP DoS vulnerabilities in 1.2.x (and 1.4.x), <http://bugs.digium.com/view.php?id=9313> and <http://voipsa.org/pipermail/voipsec_voipsa.org/2007-March/002275.html>. Thx for the info Rajiv. I've updated the GLSA draft to reflect that this appears only to affected 1.2+. Security please review. The SIP return code 0 issue is described here: http://bugs.digium.com/view.php?id=9313 CVEs assigned: The SDP issue: CVE-2007-1561. The return code 0 issue: CVE-2007-1594 I'm resetting to ebuild status as the return code 0 issues seems to be still open. VOIP please advise. (In reply to comment #19) > The SDP issue: CVE-2007-1561. > The return code 0 issue: CVE-2007-1594 gustavoz patched both of these in asterisk-1.2.14-r2. asterisk-1.0.12-r2 is not vulnerable to the first and i patched it for the second. i say ready for GLSA. voip, upstream bug 9313 is still open, do we have the complete fix and is ready for GLSA release? Looks like the patch from comment#1 did not work as expected. I don't have a test environment usable for testing this issue. I guess, this problem shouldn't be mentioned in the GLSA. The double sdp vulnerability is fixed, though. upstream bug is now closed, so i think this is ready for GLSA. Setting to [glsa] status. Thx everyone. GLSA 200704-01 |