Asterisk Project Security Advisory - AST-2008-010 +------------------------------------------------------------------------+ | Product | Asterisk | |----------------------+-------------------------------------------------| | Summary | Asterisk IAX 'POKE' resource exhaustion | |----------------------+-------------------------------------------------| | Nature of Advisory | Denial of service | |----------------------+-------------------------------------------------| | Susceptibility | Remote Unauthenticated Sessions | |----------------------+-------------------------------------------------| | Severity | Critical | |----------------------+-------------------------------------------------| | Exploits Known | Yes | |----------------------+-------------------------------------------------| | Reported On | July 18, 2008 | |----------------------+-------------------------------------------------| | Reported By | Jeremy McNamara < jj AT nufone DOT net > | |----------------------+-------------------------------------------------| | Posted On | July 22, 2008 | |----------------------+-------------------------------------------------| | Last Updated On | July 22, 2008 | |----------------------+-------------------------------------------------| | Advisory Contact | Tilghman Lesher < tlesher AT digium DOT com > | |----------------------+-------------------------------------------------| | CVE Name | CVE-2008-3263 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Description | By flooding an Asterisk server with IAX2 'POKE' | | | requests, an attacker may eat up all call numbers | | | associated with the IAX2 protocol on an Asterisk server | | | and prevent other IAX2 calls from getting through. Due | | | to the nature of the protocol, IAX2 POKE calls will | | | expect an ACK packet in response to the PONG packet sent | | | in response to the POKE. While waiting for this ACK | | | packet, this dialog consumes an IAX2 call number, as the | | | ACK packet must contain the same call number as was | | | allocated and sent in the PONG. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Resolution | The implementation has been changed to no longer allocate | | | an IAX2 call number for POKE requests. Instead, call | | | number 1 has been reserved for all responses to POKE | | | requests, and ACK packets referencing call number 1 will | | | be silently dropped. | +------------------------------------------------------------------------+ +---------------------------------------------------------------------------------------------------------------------------------+ |Commentary|This vulnerability was reported to us without exploit code, less than two days before public release, with exploit | | |code. Additionally, we were not informed of the public release of the exploit code and only learned this fact from a | | |third party. We reiterate that this is irresponsible security disclosure, and we recommend that in the future, | | |adequate time be given to fix any such vulnerability. Recommended reading: | | |http://www.oisafety.org/guidelines/Guidelines%20for%20Security%20Vulnerability%20Reporting%20and%20Response%20V2.0.pdf| +---------------------------------------------------------------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Affected Versions | |------------------------------------------------------------------------| | Product | Release | | | | Series | | |----------------------------------+-------------+-----------------------| | Asterisk Open Source | 1.0.x | All versions | |----------------------------------+-------------+-----------------------| | Asterisk Open Source | 1.2.x | All versions prior to | | | | 1.2.30 | |----------------------------------+-------------+-----------------------| | Asterisk Open Source | 1.4.x | All versions prior to | | | | 1.4.21.2 | |----------------------------------+-------------+-----------------------| | Asterisk Addons | 1.2.x | Not affected | |----------------------------------+-------------+-----------------------| | Asterisk Addons | 1.4.x | Not affected | |----------------------------------+-------------+-----------------------| | Asterisk Business Edition | A.x.x | All versions | |----------------------------------+-------------+-----------------------| | Asterisk Business Edition | B.x.x.x | All versions prior to | | | | B.2.5.4 | |----------------------------------+-------------+-----------------------| | Asterisk Business Edition | C.x.x.x | All versions prior to | | | | C.1.10.3 | |----------------------------------+-------------+-----------------------| | AsteriskNOW | pre-release | All versions | |----------------------------------+-------------+-----------------------| | Asterisk Appliance Developer Kit | 0.x.x | All versions | |----------------------------------+-------------+-----------------------| | s800i (Asterisk Appliance) | 1.0.x | All versions prior to | | | | 1.2.0.1 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Corrected In | |------------------------------------------------------------------------| | Product | Release | |---------------------------------------------+--------------------------| | Asterisk Open Source | 1.2.30 | |---------------------------------------------+--------------------------| | Asterisk Open Source | 1.4.21.2 | |---------------------------------------------+--------------------------| | Asterisk Business Edition | B.2.5.4 | |---------------------------------------------+--------------------------| | Asterisk Business Edition | C.1.10.3 | |---------------------------------------------+--------------------------| | Asterisk Business Edition | C.2.0.3 | |---------------------------------------------+--------------------------| | s800i (Asterisk Appliance) | 1.2.0.1 | +------------------------------------------------------------------------+ +----------------------------------------------------------------------------------------------------------------------------+ |Links|http://www.oisafety.org/guidelines/Guidelines%20for%20Security%20Vulnerability%20Reporting%20and%20Response%20V2.0.pdf| |-----+----------------------------------------------------------------------------------------------------------------------| | |http://www.securityfocus.com/bid/30321/info | +----------------------------------------------------------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/security/AST-2008-010.pdf and | | http://downloads.digium.com/pub/security/AST-2008-010.html | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Revision History | |------------------------------------------------------------------------| | Date | Editor | Revisions Made | |-----------------+--------------------+---------------------------------| | July 22, 2008 | Tilghman Lesher | Initial release | |-----------------+--------------------+---------------------------------| | July 22, 2008 | Tilghman Lesher | Revised C.1 version numbers | +------------------------------------------------------------------------+ Asterisk Project Security Advisory - AST-2008-010 Copyright (c) 2008 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.
fixed in voip overlay for version 1.4.20.2
Already stable in tree. Please vote!
Thanks for having bumped it. Voting noglsa because it's not so hard to exhaust Asterisk resources (like every VoIP software) even without any vulnerability.
hmm, it says it's fixed *in the VoIP overlay*, and I don't see any sign of asterisk 1.2.30 in the main tree... So back to [ebuild].
Sorry, I misread the version. Adjusting severity.
+*asterisk-1.2.31.1 (11 Mar 2009) + + 11 Mar 2009; <chainsaw@gentoo.org> + +files/1.2.0/asterisk-1.2.31.1-bri-fixups.diff, + +files/1.2.0/asterisk-1.2.31.1-comma-is-not-pipe.diff, + +files/1.2.0/asterisk-1.2.31.1-svn89254.diff, +asterisk-1.2.31.1.ebuild: + Version bump, for security bugs #250748 and #254304. Took a 1.4 build fix + that is relevant to 1.2, Digium bug #11238. Wrote patch to fix up typo in + open call, a comma is not a pipe sign. Used EAPI 2 for USE-based + dependencies instead of calling die. Patch from Mounir Lamouri adding + -lspeexdsp closes bug #206463 filed by John Read.
Stabling via bug 250748
GLSA 200905-01