Bug 295270 (CVE-2009-4055)

Summary:	<net-misc/asterisk-{1.2.37, 1.6.1.11} SIP RTP DoS (CVE-2009-4055)
Product:	Gentoo Security	Reporter:	Rajiv Aaron Manglani (RETIRED) <rajiv>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	voip+disabled
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://lists.digium.com/pipermail/asterisk-announce/2009-November/000214.html
Whiteboard:	B3 [glsa]
Package list:		Runtime testing required:	---

Description Rajiv Aaron Manglani (RETIRED) gentoo-dev

2009-12-01 04:02:52 UTC

The Asterisk Development Team has announced the release of Asterisk 1.2.37,
1.4.27.1, 1.6.0.19, and 1.6.1.11. These releases are available for immediate
download at http://downloads.asterisk.org/pub/telephony/asterisk/

These releases have been created in response to a SIP remote crash
vulnerability.

Additionally, Asterisk versions 1.4.27.1, 1.6.0.19, and 1.6.1.11 also contain an
SDP regression fix as described in issue #16268.

Asterisk 1.6.0.19, and 1.6.1.11 contain an additional SDP regression fix as
described by issue #16238.

Information about the SDP issues can be found at
https://issues.asterisk.org/view.php?id=16268 and
https://issues.asterisk.org/view.php?id=16238

For more information about the details of this vulnerability, please read the
security advisory AST-2009-010, which was released at the same time as this
announcement.

The security advisory is available at
http://downloads.asterisk.org/pub/security/AST-2009-010.pdf

For a full list of changes in the current releases, please see the ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.2.37
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.4.27.1
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.0.19
http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.6.1.11

Thank you for your continued support of Asterisk!



              Asterisk Project Security Advisory - AST-2009-010

  +------------------------------------------------------------------------+
  |       Product        | Asterisk                                        |
  |----------------------+-------------------------------------------------|
  |       Summary        | RTP Remote Crash Vulnerability                  |
  |----------------------+-------------------------------------------------|
  |  Nature of Advisory  | Denial of Service                               |
  |----------------------+-------------------------------------------------|
  |    Susceptibility    | Remote unauthenticated sessions                 |
  |----------------------+-------------------------------------------------|
  |       Severity       | Critical                                        |
  |----------------------+-------------------------------------------------|
  |    Exploits Known    | No                                              |
  |----------------------+-------------------------------------------------|
  |     Reported On      | November 13, 2009                               |
  |----------------------+-------------------------------------------------|
  |     Reported By      | issues.asterisk.org user amorsen                |
  |----------------------+-------------------------------------------------|
  |      Posted On       | November 30, 2009                               |
  |----------------------+-------------------------------------------------|
  |   Last Updated On    | November 30, 2009                               |
  |----------------------+-------------------------------------------------|
  |   Advisory Contact   | David Vossel < dvossel AT digium DOT com >      |
  |----------------------+-------------------------------------------------|
  |       CVE Name       | CVE-2009-4055                                   |
  +------------------------------------------------------------------------+

  +------------------------------------------------------------------------+
  | Description | An attacker sending a valid RTP comfort noise payload    |
  |             | containing a data length of 24 bytes or greater can      |
  |             | remotely crash Asterisk.                                 |
  +------------------------------------------------------------------------+

  +------------------------------------------------------------------------+
  | Resolution | Upgrade to one of the versions of Asterisk listed in the  |
  |            | "Corrected In" section, or apply a patch specified in the |
  |            | "Patches" section.                                        |
  +------------------------------------------------------------------------+

  +------------------------------------------------------------------------+
  |                           Affected Versions                            |
  |------------------------------------------------------------------------|
  |             Product              | Release Series |                    |
  |----------------------------------+----------------+--------------------|
  |       Asterisk Open Source       |     1.2.x      | All versions       |
  |----------------------------------+----------------+--------------------|
  |       Asterisk Open Source       |     1.4.x      | All versions       |
  |----------------------------------+----------------+--------------------|
  |       Asterisk Open Source       |     1.6.x      | All versions       |
  |----------------------------------+----------------+--------------------|
  |    Asterisk Business Edition     |     B.x.x      | All versions       |
  |----------------------------------+----------------+--------------------|
  |    Asterisk Business Edition     |     C.x.x      | All versions       |
  |----------------------------------+----------------+--------------------|
  |    s800i (Asterisk Appliance)    |     1.3.x      | All versions       |
  +------------------------------------------------------------------------+

  +------------------------------------------------------------------------+
  |                              Corrected In                              |
  |------------------------------------------------------------------------|
  |                   Product                   |         Release          |
  |---------------------------------------------+--------------------------|
  |            Asterisk Open Source             |          1.2.37          |
  |---------------------------------------------+--------------------------|
  |            Asterisk Open Source             |         1.4.27.1         |
  |---------------------------------------------+--------------------------|
  |            Asterisk Open Source             |         1.6.0.19         |
  |---------------------------------------------+--------------------------|
  |            Asterisk Open Source             |         1.6.1.11         |
  |---------------------------------------------+--------------------------|
  |          Asterisk Business Edition          |         B.2.5.13         |
  |---------------------------------------------+--------------------------|
  |          Asterisk Business Edition          |         C.2.4.6          |
  |---------------------------------------------+--------------------------|
  |          Asterisk Business Edition          |         C.3.2.3          |
  |---------------------------------------------+--------------------------|
  |         S800i (Asterisk Appliance)          |         1.3.0.6          |
  +------------------------------------------------------------------------+

+-----------------------------------------------------------------------------+
|                                   Patches                                   |
|-----------------------------------------------------------------------------|
|                                 Link                                 |Branch|
|----------------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2009-010-1.2.diff.txt  |1.2   |
|----------------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2009-010-1.4.diff.txt  |1.4   |
|----------------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2009-010-1.6.0.diff.txt|1.6.0 |
|----------------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2009-010-1.6.1.diff.txt|1.6.1 |
+-----------------------------------------------------------------------------+

  +------------------------------------------------------------------------+
  |     Links      | https://issues.asterisk.org/view.php?id=16242         |
  +------------------------------------------------------------------------+

  +------------------------------------------------------------------------+
  | Asterisk Project Security Advisories are posted at                     |
  | http://www.asterisk.org/security                                       |
  |                                                                        |
  | This document may be superseded by later versions; if so, the latest   |
  | version will be posted at                                              |
  | http://downloads.digium.com/pub/security/AST-2009-010.pdf and          |
  | http://downloads.digium.com/pub/security/AST-2009-010.html             |
  +------------------------------------------------------------------------+

  +------------------------------------------------------------------------+
  |                            Revision History                            |
  |------------------------------------------------------------------------|
  |       Date       |       Editor        |        Revisions Made         |
  |------------------+---------------------+-------------------------------|
  | 2009-09-03       | David Vossel        | Initial release               |
  +------------------------------------------------------------------------+

              Asterisk Project Security Advisory - AST-2009-010
             Copyright (c) 2009 Digium, Inc. All Rights Reserved.
 Permission is hereby granted to distribute and publish this advisory in its
                          original, unaltered form.

Comment 1 Tony Vroon (RETIRED) gentoo-dev

2009-12-01 10:38:55 UTC

+*asterisk-1.6.1.11 (01 Dec 2009)
+
+  01 Dec 2009; <chainsaw@gentoo.org> -asterisk-1.6.1.9.ebuild,
+  -asterisk-1.6.1.10.ebuild, +asterisk-1.6.1.11.ebuild:
+  Version bump as requested by Rajiv Aaron Manglani <rajiv@gentoo.org> in
+  security bug #295270. Fixes a remote crash caused by a comfort noise
+  payload over 24 bytes in length. Also contains an SDP regression fix,
+  upstream bug reports #16368 & #16238. Vulnerable 1.6 branch ebuilds
+  killed.

Comment 2 Tony Vroon (RETIRED) gentoo-dev

2009-12-01 10:47:04 UTC

+*asterisk-1.2.37 (01 Dec 2009)
+
+  01 Dec 2009; <chainsaw@gentoo.org> asterisk-1.2.35.ebuild,
+  +asterisk-1.2.37.ebuild:
+  Version bump as requested by Rajiv Aaron Manglani <rajiv@gentoo.org> in
+  security bug #295270. Fixes a remote crash caused by a comfort noise
+  payload over 24 bytes in length. Reduce 1.2.35 keywords to PPC, unable to
+  delete at this time.

Comment 3 Tony Vroon (RETIRED) gentoo-dev

2009-12-01 10:50:52 UTC

Arches, please test & mark stable net-misc/asterisk-1.2.37
Target keywords: alpha amd64 ~hppa ppc sparc x86

PowerPC, please delete 1.2.35 once you have keyworded 1.2.37, skipping 1.2.36. You can then un-CC yourself from security bug #284892.

Arch teams, for testing please use the default configuration supplied and confirm that the init script will start & stop the daemon.

Comment 4 Christian Faulhammer (RETIRED) gentoo-dev

2009-12-01 15:26:57 UTC

x86 stable

Comment 5 Markus Meier gentoo-dev

2009-12-02 10:56:42 UTC

amd64 stable

Comment 6 Alex Legler (RETIRED) archtester

2009-12-03 09:17:08 UTC

CVE-2009-4055 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4055):
  rtp.c in Asterisk Open Source 1.2.x before 1.2.37, 1.4.x before
  1.4.27.1, 1.6.0.x before 1.6.0.19, and 1.6.1.x before 1.6.1.11;
  Business Edition B.x.x before B.2.5.13, C.2.x.x before C.2.4.6, and
  C.3.x.x before C.3.2.3; and s800i 1.3.x before 1.3.0.6 allows remote
  attackers to cause a denial of service (daemon crash) via an RTP
  comfort noise payload with a long data length.

Comment 7 Raúl Porcel (RETIRED) gentoo-dev

2009-12-09 18:53:22 UTC

alpha/sparc stable

Comment 8 Joe Jezak (RETIRED) gentoo-dev

2010-01-05 04:00:13 UTC

Marked ppc stable, removed 1.2.35 as directed.

Comment 9 Alex Legler (RETIRED) archtester

2010-05-31 14:53:49 UTC

voip: Please remove vulnerable ebuilds (1.2.36 at least).
Rerating for DoS.

Comment 10 Tony Vroon (RETIRED) gentoo-dev

2010-05-31 21:29:55 UTC

+  31 May 2010; <chainsaw@gentoo.org> -asterisk-1.2.36.ebuild:
+  Remove vulnerable version as per Alex "a3li" Legler in security bug
+  #295270.

Comment 11 Alex Legler (RETIRED) archtester

2010-06-04 05:18:23 UTC

GLSA 201006-20