Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 418191 (CVE-2012-2948) - <net-misc/asterisk-{1.8.12.1,10.4.1} Skinny Remote Crash Vulnerability (CVE-2012-2948)
Summary: <net-misc/asterisk-{1.8.12.1,10.4.1} Skinny Remote Crash Vulnerability (CVE-2...
Status: RESOLVED FIXED
Alias: CVE-2012-2948
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: http://downloads.digium.com/pub/secur...
Whiteboard: B2 [glsa]
Keywords:
Depends on: CVE-2012-2947
Blocks:
  Show dependency tree
 
Reported: 2012-05-29 22:18 UTC by Rajiv Aaron Manglani (RETIRED)
Modified: 2012-06-21 00:50 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Rajiv Aaron Manglani (RETIRED) gentoo-dev 2012-05-29 22:18:54 UTC
Asterisk Project Security Advisory - AST-2012-008

         Product         Asterisk                                            
         Summary         Skinny Channel Driver Remote Crash Vulnerability    
    Nature of Advisory   Denial of Service                                   
      Susceptibility     Remote authenticated sessions                       
         Severity        Minor                                               
      Exploits Known     No                                                  
       Reported On       May 22, 2012                                        
       Reported By       Christoph Hebeisen                                  
        Posted On        May 29, 2012                                        
     Last Updated On     May 29, 2012                                        
     Advisory Contact    Matt Jordan < mjordan AT digium DOT com >           
         CVE Name        CVE-2012-2948                                       

   Description  As reported by Telus Labs:                                   

                "A Null-pointer dereference has been identified in the SCCP  
                (Skinny) channel driver of Asterisk. When an SCCP client     
                closes its connection to the server, a pointer in a          
                structure is set to Null. If the client was not in the       
                on-hook state at the time the connection was closed, this    
                pointer is later dereferenced.                               

                A remote attacker with a valid SCCP ID can can use this      
                vulnerability by closing a connection to the Asterisk        
                server in certain call states (e.g. "Off hook") to crash     
                the server. Successful exploitation of this vulnerability    
                would result in termination of the server, causing denial    
                of service to legitimate users."                             

   Resolution  The pointer to the device in the structure is now checked     
               before it is dereferenced in the channel event callbacks and  
               message handling functions.                                   

                              Affected Versions
               Product              Release Series  
        Asterisk Open Source            1.8.x       All Versions             
        Asterisk Open Source             10.x       All Versions             
         Certified Asterisk          1.8.11-cert    1.8.11-cert1             

                                 Corrected In
                  Product                              Release               
           Asterisk Open Source                   1.8.12.1, 10.4.1           
            Certified Asterisk                      1.8.11-cert2             

                                      Patches                           
                               SVN URL                                    Revision   
http://downloads.asterisk.org/pub/security/AST-2012-008-1.8.diff         v1.8         
http://downloads.asterisk.org/pub/security/AST-2012-008-10.diff          v10          
http://downloads.asterisk.org/pub/security/AST-2012-008-1.8.11-cert.diff v1.8.11-cert 

      Links     https://issues.asterisk.org/jira/browse/ASTERISK-19905       

   Asterisk Project Security Advisories are posted at                        
   http://www.asterisk.org/security                                          

   This document may be superseded by later versions; if so, the latest      
   version will be posted at                                                 
   http://downloads.digium.com/pub/security/AST-2012-008.pdf and             
   http://downloads.digium.com/pub/security/AST-2012-008.html                

                               Revision History
         Date                  Editor                 Revisions Made         
   05/25/2012         Matt Jordan               Initial Release              

              Asterisk Project Security Advisory - AST-2012-008
             Copyright (c) 2012 Digium, Inc. All Rights Reserved.
 Permission is hereby granted to distribute and publish this advisory in its
                          original, unaltered form.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2012-05-29 22:44:56 UTC
Stabilization happening in bug 418189.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2012-06-15 19:33:08 UTC
CVE-2012-2948 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2948):
  chan_skinny.c in the Skinny (aka SCCP) channel driver in Certified Asterisk
  1.8.11-cert before 1.8.11-cert2 and Asterisk Open Source 1.8.x before
  1.8.12.1 and 10.x before 10.4.1 allows remote authenticated users to cause a
  denial of service (NULL pointer dereference and daemon crash) by closing a
  connection in off-hook mode.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-06-21 00:50:09 UTC
This issue was resolved and addressed in
 GLSA 201206-05 at http://security.gentoo.org/glsa/glsa-201206-05.xml
by GLSA coordinator Sean Amoss (ackle).