Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 232698 (CVE-2008-3263)

Summary: <net-misc/asterisk-1.2.31.1 IAX 'POKE' resource exhaustion (CVE-2008-3263)
Product: Gentoo Security Reporter: Rajiv Aaron Manglani (RETIRED) <rajiv>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: voip+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://lists.digium.com/pipermail/asterisk-announce/2008-July/000159.html
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 249573    
Bug Blocks:    

Description Rajiv Aaron Manglani (RETIRED) gentoo-dev 2008-07-22 23:29:37 UTC
Asterisk Project Security Advisory - AST-2008-010

   +------------------------------------------------------------------------+
   |       Product        | Asterisk                                        |
   |----------------------+-------------------------------------------------|
   |       Summary        | Asterisk IAX 'POKE' resource exhaustion         |
   |----------------------+-------------------------------------------------|
   |  Nature of Advisory  | Denial of service                               |
   |----------------------+-------------------------------------------------|
   |    Susceptibility    | Remote Unauthenticated Sessions                 |
   |----------------------+-------------------------------------------------|
   |       Severity       | Critical                                        |
   |----------------------+-------------------------------------------------|
   |    Exploits Known    | Yes                                             |
   |----------------------+-------------------------------------------------|
   |     Reported On      | July 18, 2008                                   |
   |----------------------+-------------------------------------------------|
   |     Reported By      | Jeremy McNamara < jj AT nufone DOT net >        |
   |----------------------+-------------------------------------------------|
   |      Posted On       | July 22, 2008                                   |
   |----------------------+-------------------------------------------------|
   |   Last Updated On    | July 22, 2008                                   |
   |----------------------+-------------------------------------------------|
   |   Advisory Contact   | Tilghman Lesher < tlesher AT digium DOT com >   |
   |----------------------+-------------------------------------------------|
   |       CVE Name       | CVE-2008-3263                                   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | By flooding an Asterisk server with IAX2 'POKE'          |
   |             | requests, an attacker may eat up all call numbers        |
   |             | associated with the IAX2 protocol on an Asterisk server  |
   |             | and prevent other IAX2 calls from getting through. Due   |
   |             | to the nature of the protocol, IAX2 POKE calls will      |
   |             | expect an ACK packet in response to the PONG packet sent |
   |             | in response to the POKE. While waiting for this ACK      |
   |             | packet, this dialog consumes an IAX2 call number, as the |
   |             | ACK packet must contain the same call number as was      |
   |             | allocated and sent in the PONG.                          |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | The implementation has been changed to no longer allocate |
   |            | an IAX2 call number for POKE requests. Instead, call      |
   |            | number 1 has been reserved for all responses to POKE      |
   |            | requests, and ACK packets referencing call number 1 will  |
   |            | be silently dropped.                                      |
   +------------------------------------------------------------------------+

+---------------------------------------------------------------------------------------------------------------------------------+
|Commentary|This vulnerability was reported to us without exploit code, less than two days before public release, with exploit    |
|          |code. Additionally, we were not informed of the public release of the exploit code and only learned this fact from a  |
|          |third party. We reiterate that this is irresponsible security disclosure, and we recommend that in the future,        |
|          |adequate time be given to fix any such vulnerability. Recommended reading:                                            |
|          |http://www.oisafety.org/guidelines/Guidelines%20for%20Security%20Vulnerability%20Reporting%20and%20Response%20V2.0.pdf|
+---------------------------------------------------------------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |             Product              |   Release   |                       |
   |                                  |   Series    |                       |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.0.x    | All versions          |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.2.x    | All versions prior to |
   |                                  |             | 1.2.30                |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.4.x    | All versions prior to |
   |                                  |             | 1.4.21.2              |
   |----------------------------------+-------------+-----------------------|
   |         Asterisk Addons          |    1.2.x    | Not affected          |
   |----------------------------------+-------------+-----------------------|
   |         Asterisk Addons          |    1.4.x    | Not affected          |
   |----------------------------------+-------------+-----------------------|
   |    Asterisk Business Edition     |    A.x.x    | All versions          |
   |----------------------------------+-------------+-----------------------|
   |    Asterisk Business Edition     |   B.x.x.x   | All versions prior to |
   |                                  |             | B.2.5.4               |
   |----------------------------------+-------------+-----------------------|
   |    Asterisk Business Edition     |   C.x.x.x   | All versions prior to |
   |                                  |             | C.1.10.3              |
   |----------------------------------+-------------+-----------------------|
   |           AsteriskNOW            | pre-release | All versions          |
   |----------------------------------+-------------+-----------------------|
   | Asterisk Appliance Developer Kit |    0.x.x    | All versions          |
   |----------------------------------+-------------+-----------------------|
   |    s800i (Asterisk Appliance)    |    1.0.x    | All versions prior to |
   |                                  |             | 1.2.0.1               |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |                   Product                   |         Release          |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |          1.2.30          |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |         1.4.21.2         |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         B.2.5.4          |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         C.1.10.3         |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         C.2.0.3          |
   |---------------------------------------------+--------------------------|
   |         s800i (Asterisk Appliance)          |         1.2.0.1          |
   +------------------------------------------------------------------------+

+----------------------------------------------------------------------------------------------------------------------------+
|Links|http://www.oisafety.org/guidelines/Guidelines%20for%20Security%20Vulnerability%20Reporting%20and%20Response%20V2.0.pdf|
|-----+----------------------------------------------------------------------------------------------------------------------|
|     |http://www.securityfocus.com/bid/30321/info                                                                           |
+----------------------------------------------------------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2008-010.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2008-010.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |      Date       |       Editor       |         Revisions Made          |
   |-----------------+--------------------+---------------------------------|
   | July 22, 2008   | Tilghman Lesher    | Initial release                 |
   |-----------------+--------------------+---------------------------------|
   | July 22, 2008   | Tilghman Lesher    | Revised C.1 version numbers     |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2008-010
              Copyright (c) 2008 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.
Comment 1 Rambaldi 2008-07-23 07:59:14 UTC
fixed in voip overlay for version 1.4.20.2
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-30 17:44:59 UTC
Already stable in tree. Please vote!
Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2009-01-11 17:29:49 UTC
Thanks for having bumped it. Voting noglsa because it's not so hard to exhaust Asterisk resources (like every VoIP software) even without any vulnerability.
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-01-11 18:14:15 UTC
hmm, it says it's fixed *in the VoIP overlay*, and I don't see any sign of asterisk 1.2.30 in the main tree... So back to [ebuild].
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-11 18:27:01 UTC
Sorry, I misread the version. Adjusting severity.
Comment 6 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2009-03-12 03:32:51 UTC
+*asterisk-1.2.31.1 (11 Mar 2009)
+
+  11 Mar 2009; <chainsaw@gentoo.org>
+  +files/1.2.0/asterisk-1.2.31.1-bri-fixups.diff,
+  +files/1.2.0/asterisk-1.2.31.1-comma-is-not-pipe.diff,
+  +files/1.2.0/asterisk-1.2.31.1-svn89254.diff, +asterisk-1.2.31.1.ebuild:
+  Version bump, for security bugs #250748 and #254304. Took a 1.4 build fix
+  that is relevant to 1.2, Digium bug #11238. Wrote patch to fix up typo in
+  open call, a comma is not a pipe sign. Used EAPI 2 for USE-based
+  dependencies instead of calling die. Patch from Mounir Lamouri adding
+  -lspeexdsp closes bug #206463 filed by John Read.
Comment 7 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-12 15:36:34 UTC
Stabling via bug 250748
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2009-05-02 17:57:22 UTC
GLSA 200905-01