Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 418191 (CVE-2012-2948)

Summary: <net-misc/asterisk-{,10.4.1} Skinny Remote Crash Vulnerability (CVE-2012-2948)
Product: Gentoo Security Reporter: Rajiv Aaron Manglani (RETIRED) <rajiv>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: voip+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 418189    
Bug Blocks:    

Description Rajiv Aaron Manglani (RETIRED) gentoo-dev 2012-05-29 22:18:54 UTC
Asterisk Project Security Advisory - AST-2012-008

         Product         Asterisk                                            
         Summary         Skinny Channel Driver Remote Crash Vulnerability    
    Nature of Advisory   Denial of Service                                   
      Susceptibility     Remote authenticated sessions                       
         Severity        Minor                                               
      Exploits Known     No                                                  
       Reported On       May 22, 2012                                        
       Reported By       Christoph Hebeisen                                  
        Posted On        May 29, 2012                                        
     Last Updated On     May 29, 2012                                        
     Advisory Contact    Matt Jordan < mjordan AT digium DOT com >           
         CVE Name        CVE-2012-2948                                       

   Description  As reported by Telus Labs:                                   

                "A Null-pointer dereference has been identified in the SCCP  
                (Skinny) channel driver of Asterisk. When an SCCP client     
                closes its connection to the server, a pointer in a          
                structure is set to Null. If the client was not in the       
                on-hook state at the time the connection was closed, this    
                pointer is later dereferenced.                               

                A remote attacker with a valid SCCP ID can can use this      
                vulnerability by closing a connection to the Asterisk        
                server in certain call states (e.g. "Off hook") to crash     
                the server. Successful exploitation of this vulnerability    
                would result in termination of the server, causing denial    
                of service to legitimate users."                             

   Resolution  The pointer to the device in the structure is now checked     
               before it is dereferenced in the channel event callbacks and  
               message handling functions.                                   

                              Affected Versions
               Product              Release Series  
        Asterisk Open Source            1.8.x       All Versions             
        Asterisk Open Source             10.x       All Versions             
         Certified Asterisk          1.8.11-cert    1.8.11-cert1             

                                 Corrected In
                  Product                              Release               
           Asterisk Open Source         , 10.4.1           
            Certified Asterisk                      1.8.11-cert2             

                               SVN URL                                    Revision         v1.8          v10  v1.8.11-cert 


   Asterisk Project Security Advisories are posted at                                                            

   This document may be superseded by later versions; if so, the latest      
   version will be posted at                                            and                       

                               Revision History
         Date                  Editor                 Revisions Made         
   05/25/2012         Matt Jordan               Initial Release              

              Asterisk Project Security Advisory - AST-2012-008
             Copyright (c) 2012 Digium, Inc. All Rights Reserved.
 Permission is hereby granted to distribute and publish this advisory in its
                          original, unaltered form.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2012-05-29 22:44:56 UTC
Stabilization happening in bug 418189.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2012-06-15 19:33:08 UTC
CVE-2012-2948 (
  chan_skinny.c in the Skinny (aka SCCP) channel driver in Certified Asterisk
  1.8.11-cert before 1.8.11-cert2 and Asterisk Open Source 1.8.x before and 10.x before 10.4.1 allows remote authenticated users to cause a
  denial of service (NULL pointer dereference and daemon crash) by closing a
  connection in off-hook mode.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-06-21 00:50:09 UTC
This issue was resolved and addressed in
 GLSA 201206-05 at
by GLSA coordinator Sean Amoss (ackle).