Bug 281107 (CVE-2009-2726)

Summary:	<net-misc/asterisk-{1.2.34, 1.6.1.4}: DoS (CVE-2009-2726)
Product:	Gentoo Security	Reporter:	Rajiv Aaron Manglani (RETIRED) <rajiv>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	kfm, voip+disabled
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://downloads.asterisk.org/pub/security/AST-2009-005.html
Whiteboard:	B3 [glsa]
Package list:		Runtime testing required:	---

Description Rajiv Aaron Manglani (RETIRED) gentoo-dev

2009-08-11 14:14:49 UTC

http://downloads.asterisk.org/pub/security/AST-2009-005.html

http://lists.digium.com/pipermail/asterisk-announce/2009-August/000201.html


               Asterisk Project Security Advisory - AST-2009-005

   +------------------------------------------------------------------------+
   |       Product       | Asterisk                                         |
   |---------------------+--------------------------------------------------|
   |       Summary       | Remote Crash Vulnerability in SIP channel driver |
   |---------------------+--------------------------------------------------|
   | Nature of Advisory  | Denial of Service                                |
   |---------------------+--------------------------------------------------|
   |   Susceptibility    | Remote Unauthenticated Sessions                  |
   |---------------------+--------------------------------------------------|
   |      Severity       | Critical in 1.6.1; minor in lesser versions      |
   |---------------------+--------------------------------------------------|
   |   Exploits Known    | No                                               |
   |---------------------+--------------------------------------------------|
   |     Reported On     | July 28, 2009                                    |
   |---------------------+--------------------------------------------------|
   |     Reported By     | Nick Baggott < nbaggott AT mudynamics DOT com >  |
   |---------------------+--------------------------------------------------|
   |      Posted On      | August 10, 2009                                  |
   |---------------------+--------------------------------------------------|
   |   Last Updated On   | August 10, 2009                                  |
   |---------------------+--------------------------------------------------|
   |  Advisory Contact   | Tilghman Lesher < tlesher AT digium DOT com >    |
   |---------------------+--------------------------------------------------|
   |      CVE Name       | CVE-2009-2726                                    |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | On certain implementations of libc, the scanf family of  |
   |             | functions uses an unbounded amount of stack memory to    |
   |             | repeatedly allocate string buffers prior to conversion   |
   |             | to the target type. Coupled with Asterisk's allocation   |
   |             | of thread stack sizes that are smaller than the default, |
   |             | an attacker may exhaust stack memory in the SIP stack    |
   |             | network thread by presenting excessively long numeric    |
   |             | strings in various fields.                               |
   |             |                                                          |
   |             | Note that while this potential vulnerability has existed |
   |             | in Asterisk for a very long time, it is only potentially |
   |             | exploitable in 1.6.1 and above, since those versions are |
   |             | the first that have allowed SIP packets to exceed 1500   |
   |             | bytes total, which does not permit strings that are      |
   |             | large enough to crash Asterisk. (The number strings      |
   |             | presented to us by the security researcher were          |
   |             | approximately 32,000 bytes long.)                        |
   |             |                                                          |
   |             | Additionally note that while this can crash Asterisk,    |
   |             | execution of arbitrary code is not possible with this    |
   |             | vector.                                                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |  Resolution  | Upgrade Asterisk to one of the releases listed below.   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |          Product           |  Release   |                              |
   |                            |   Series   |                              |
   |----------------------------+------------+------------------------------|
   |    Asterisk Open Source    |   1.2.x    | All versions prior to 1.2.34 |
   |----------------------------+------------+------------------------------|
   |    Asterisk Open Source    |   1.4.x    | All versions prior to        |
   |                            |            | 1.4.26.1                     |
   |----------------------------+------------+------------------------------|
   |    Asterisk Open Source    |  1.6.0.x   | All versions prior to        |
   |                            |            | 1.6.0.12                     |
   |----------------------------+------------+------------------------------|
   |    Asterisk Open Source    |  1.6.1.x   | All versions prior to        |
   |                            |            | 1.6.1.4                      |
   |----------------------------+------------+------------------------------|
   |      Asterisk Addons       |   1.2.x    | Not affected                 |
   |----------------------------+------------+------------------------------|
   |      Asterisk Addons       |   1.4.x    | Not affected                 |
   |----------------------------+------------+------------------------------|
   |      Asterisk Addons       |  1.6.0.x   | Not affected                 |
   |----------------------------+------------+------------------------------|
   |      Asterisk Addons       |  1.6.1.x   | Not affected                 |
   |----------------------------+------------+------------------------------|
   | Asterisk Business Edition  |   A.x.x    | All versions                 |
   |----------------------------+------------+------------------------------|
   | Asterisk Business Edition  |   B.x.x    | All versions prior to        |
   |                            |            | B.2.5.9                      |
   |----------------------------+------------+------------------------------|
   | Asterisk Business Edition  |   C.2.x    | All versions prior to        |
   |                            |            | C.2.4.1                      |
   |----------------------------+------------+------------------------------|
   | Asterisk Business Edition  |   C.3.x    | All versions prior to C.3.1  |
   |----------------------------+------------+------------------------------|
   |        AsteriskNOW         |    1.5     | Not affected                 |
   |----------------------------+------------+------------------------------|
   | s800i (Asterisk Appliance) |   1.2.x    | All versions prior to        |
   |                            |            | 1.3.0.3                      |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |                   Product                   |         Release          |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |          1.2.34          |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |         1.4.26.1         |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |         1.6.0.12         |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |         1.6.1.4          |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         B.2.5.9          |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         C.2.4.1          |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |          C.3.1           |
   |---------------------------------------------+--------------------------|
   |         s800i (Asterisk Appliance)          |         1.3.0.3          |
   +------------------------------------------------------------------------+

   +---------------------------------------------------------------------------+
   |                                  Patches                                  |
   |---------------------------------------------------------------------------|
   |                                Link                                |Branch|
   |--------------------------------------------------------------------+------|
   |http://downloads.digium.com/pub/security/AST-2009-005-1.2.diff.txt  |1.2   |
   |--------------------------------------------------------------------+------|
   |http://downloads.digium.com/pub/security/AST-2009-005-1.4.diff.txt  |1.4   |
   |--------------------------------------------------------------------+------|
   |http://downloads.digium.com/pub/security/AST-2009-005-trunk.diff.txt|trunk |
   |--------------------------------------------------------------------+------|
   |http://downloads.digium.com/pub/security/AST-2009-005-1.6.0.diff.txt|1.6.0 |
   |--------------------------------------------------------------------+------|
   |http://downloads.digium.com/pub/security/AST-2009-005-1.6.1.diff.txt|1.6.1 |
   |--------------------------------------------------------------------+------|
   |http://downloads.digium.com/pub/security/AST-2009-005-1.6.2.diff.txt|1.6.2 |
   +---------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |   Links   | http://labs.mudynamics.com/advisories/MU-200908-01.txt     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2009-005.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2009-005.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |        Date         |        Editor        |      Revisions Made       |
   |---------------------+----------------------+---------------------------|
   | August 10, 2009     | Tilghman Lesher      | Initial release           |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2009-005
              Copyright (c) 2009 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

Comment 1 Alex Legler (RETIRED) archtester

2009-08-12 16:08:50 UTC

CVE-2009-2726 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2726):
  The SIP channel driver in Asterisk Open Source 1.2.x before 1.2.34,
  1.4.x before 1.4.26.1, 1.6.0.x before 1.6.0.12, and 1.6.1.x before
  1.6.1.4; Asterisk Business Edition A.x.x, B.x.x before B.2.5.9, C.2.x
  before C.2.4.1, and C.3.x before C.3.1; and Asterisk Appliance s800i
  1.2.x before 1.3.0.3 does not use a maximum width when invoking
  sscanf style functions, which allows remote attackers to cause a
  denial of service (stack memory consumption) via SIP packets
  containing large sequences of ASCII decimal characters, as
  demonstrated via vectors related to (1) the CSeq value in a SIP
  header, (2) large Content-Length value, and (3) SDP.

Comment 2 Alex Legler (RETIRED) archtester

2010-05-31 14:48:33 UTC

Superseded by several bugs. Pushing to [glsa] state. Rerating for DoS.

Comment 3 Alex Legler (RETIRED) archtester

2010-06-04 05:18:13 UTC

GLSA 201006-20