Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 232696 (CVE-2008-3264)

Summary: net-misc/asterisk < 1.2.31.1 IAX2 provisioning traffic amplification (CVE-2008-3264)
Product: Gentoo Security Reporter: Rajiv Aaron Manglani (RETIRED) <rajiv>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: rentorbuy, voip+disabled
Priority: Low    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://lists.digium.com/pipermail/asterisk-announce/2008-July/000160.html
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 218966    
Bug Blocks:    
Attachments:
Description Flags
net-misc/asterisk-1.2.30.ebuild diff
none
FILESDIR asterisk-1.2-ilbc.diff none

Description Rajiv Aaron Manglani (RETIRED) gentoo-dev 2008-07-22 23:26:32 UTC
Asterisk Project Security Advisory - AST-2008-011

   +------------------------------------------------------------------------+
   |      Product       | Asterisk                                          |
   |--------------------+---------------------------------------------------|
   |      Summary       | Traffic amplification in IAX2 firmware            |
   |                    | provisioning system                               |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Traffic amplification attack                      |
   |--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote unauthenticated sessions                   |
   |--------------------+---------------------------------------------------|
   |      Severity      | Critical                                          |
   |--------------------+---------------------------------------------------|
   |   Exploits Known   | No                                                |
   |--------------------+---------------------------------------------------|
   |    Reported On     | July 18, 2008                                     |
   |--------------------+---------------------------------------------------|
   |    Reported By     | Tilghman Lesher < tlesher AT digium DOT com >     |
   |--------------------+---------------------------------------------------|
   |     Posted On      | July 22, 2008                                     |
   |--------------------+---------------------------------------------------|
   |  Last Updated On   | July 22, 2008                                     |
   |--------------------+---------------------------------------------------|
   |  Advisory Contact  | Tilghman Lesher < tlesher AT digium DOT com >     |
   |--------------------+---------------------------------------------------|
   |      CVE Name      | CVE-2008-3264                                     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | An attacker may request an Asterisk server to send part  |
   |             | of a firmware image. However, as this firmware download  |
   |             | protocol does not initiate a handshake, the source       |
   |             | address may be spoofed. Therefore, an IAX2 FWDOWNL       |
   |             | request for a firmware file may consume as little as 40  |
   |             | bytes, yet produces a 1040 byte response. Coupled with   |
   |             | multiple geographically diverse Asterisk servers, an     |
   |             | attacker may flood an victim site with unwanted firmware |
   |             | packets.                                                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Workaround | The only device which used this firmware upgrade          |
   |            | procedure was the IAXy ATA device, and the last firmware  |
   |            | upgrade was more than 18 months ago. It is unlikely that  |
   |            | any IAXy devices in use today still need the last         |
   |            | firmware upgrade. Therefore, deleting the firmware image  |
   |            | from the directory where it is served from and sending a  |
   |            | reload event to the Asterisk server is sufficient to      |
   |            | purge the firmware image from the Asterisk server's       |
   |            | memory. An Asterisk server which is unable to serve out   |
   |            | the requested firmware image will reply to any such       |
   |            | request with a much smaller REJECT packet, which is       |
   |            | smaller than even the FWDOWNL packet.                     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | This firmware download procedure has been disabled by     |
   |            | default in Asterisk. If you should still need to upgrade  |
   |            | IAXys in the field, there is an option 'allowfwdownload'  |
   |            | which can be enabled. However, due to the reasons         |
   |            | specified on the Workaround section, it is recommended    |
   |            | that you leave this option disabled and enable it only on |
   |            | secure internal networks when an IAXy is initially        |
   |            | provisioned.                                              |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |             Product              |   Release   |                       |
   |                                  |   Series    |                       |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.0.x    | All versions          |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.2.x    | All versions prior to |
   |                                  |             | 1.2.30                |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.4.x    | All versions prior to |
   |                                  |             | 1.4.21.2              |
   |----------------------------------+-------------+-----------------------|
   |         Asterisk Addons          |    1.2.x    | Not affected          |
   |----------------------------------+-------------+-----------------------|
   |         Asterisk Addons          |    1.4.x    | Not affected          |
   |----------------------------------+-------------+-----------------------|
   |    Asterisk Business Edition     |    A.x.x    | All versions          |
   |----------------------------------+-------------+-----------------------|
   |    Asterisk Business Edition     |    B.x.x    | All versions prior to |
   |                                  |             | B.2.5.4               |
   |----------------------------------+-------------+-----------------------|
   |    Asterisk Business Edition     |    C.x.x    | All versions prior to |
   |                                  |             | C.1.10.3              |
   |----------------------------------+-------------+-----------------------|
   |           AsteriskNOW            | pre-release | All versions          |
   |----------------------------------+-------------+-----------------------|
   | Asterisk Appliance Developer Kit |    0.x.x    | All versions          |
   |----------------------------------+-------------+-----------------------|
   |    s800i (Asterisk Appliance)    |    1.0.x    | All versions prior to |
   |                                  |             | 1.2.0.1               |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |                   Product                   |         Release          |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |          1.2.30          |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |         1.4.21.2         |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         B.2.5.4          |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         C.1.10.3         |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         C.2.0.3          |
   |---------------------------------------------+--------------------------|
   |         s800i (Asterisk Appliance)          |         1.2.0.1          |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links        |                                                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2008-011.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2008-011.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |      Date       |       Editor       |         Revisions Made          |
   |-----------------+--------------------+---------------------------------|
   | July 22, 2008   | Tilghman Lesher    | Initial release                 |
   |-----------------+--------------------+---------------------------------|
   | July 22, 2008   | Tilghman Lesher    | Revised C.1 version numbers     |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2008-011
              Copyright (c) 2008 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.
Comment 1 Rambaldi 2008-07-23 07:58:34 UTC
fixed in voip overlay for version 1.4.20.2
Comment 2 Vieri 2008-07-23 12:19:43 UTC
Created attachment 161184 [details, diff]
net-misc/asterisk-1.2.30.ebuild diff
Comment 3 Vieri 2008-07-23 12:20:58 UTC
Created attachment 161186 [details, diff]
FILESDIR asterisk-1.2-ilbc.diff

also rename the bristuff file accordingly.
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-31 21:14:48 UTC
(In reply to comment #1)
> fixed in voip overlay for version 1.4.20.2
> 

Is there any plans for pushing it in the main tree? otherwise, what about 1.2x series?
Comment 5 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2009-03-12 03:36:07 UTC
+*asterisk-1.2.31.1 (11 Mar 2009)
+
+  11 Mar 2009; <chainsaw@gentoo.org>
+  +files/1.2.0/asterisk-1.2.31.1-bri-fixups.diff,
+  +files/1.2.0/asterisk-1.2.31.1-comma-is-not-pipe.diff,
+  +files/1.2.0/asterisk-1.2.31.1-svn89254.diff, +asterisk-1.2.31.1.ebuild:
+  Version bump, for security bugs #250748 and #254304. Took a 1.4 build fix
+  that is relevant to 1.2, Digium bug #11238. Wrote patch to fix up typo in
+  open call, a comma is not a pipe sign. Used EAPI 2 for USE-based
+  dependencies instead of calling die. Patch from Mounir Lamouri adding
+  -lspeexdsp closes bug #206463 filed by John Read.
Comment 6 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-12 15:36:06 UTC
Stabling via bug 250748
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-05-02 17:57:24 UTC
GLSA 200905-01