Asterisk Project Security Advisory - AST-2007-020 +------------------------------------------------------------------------+ | Product | Asterisk | |--------------------+---------------------------------------------------| | Summary | Resource Exhaustion vulnerability in SIP channel | | | driver | |--------------------+---------------------------------------------------| | Nature of Advisory | Denial of Service | |--------------------+---------------------------------------------------| | Susceptibility | Remote Unauthenticated Sessions | |--------------------+---------------------------------------------------| | Severity | Moderate | |--------------------+---------------------------------------------------| | Exploits Known | No | |--------------------+---------------------------------------------------| | Reported On | August 9, 2007 | |--------------------+---------------------------------------------------| | Reported By | Jon Moldenauer (bugs.digium.com user | | | jmoldenhauer) | |--------------------+---------------------------------------------------| | Posted On | August 21, 2007 | |--------------------+---------------------------------------------------| | Last Updated On | August 21, 2007 | |--------------------+---------------------------------------------------| | Advisory Contact | Russell Bryant <russell at digium.com> | |--------------------+---------------------------------------------------| | CVE Name | CVE-2007-4455 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Description | The handling of SIP dialog history was broken during the | | | development of Asterisk 1.4. Regardless of whether | | | recording SIP dialog history is turned on or off, the | | | history is still recorded in memory. Furthermore, there | | | is no upper limit on how many history items will be | | | stored for a given SIP dialog. | | | | | | It is possible for an attacker to use up all of the | | | system's memory by creating a SIP dialog that records | | | many entires in the history and never ends. It is also | | | worth noting for the sake of doing the math to calculate | | | what it would take to exploit this that each SIP history | | | entry will take up a maximum of 88 bytes. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Resolution | The fix that has been added to chan_sip is to restore the | | | functionality where SIP dialog history is not recorded in | | | memory if it is not enabled. Furthermore, a maximum of 50 | | | entires in the history will be stored for each dialog | | | when recording history is turned on. | | | | | | The only way to avoid this problem in affected versions | | | of Asterisk is to disable chan_sip. If chan_sip is being | | | used, the system must be upgraded to a version that has | | | this issue resolved. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Affected Versions | |------------------------------------------------------------------------| | Product | Release | | | | Series | | |----------------------------------+-------------+-----------------------| | Asterisk Open Source | 1.0.x | Not affected | |----------------------------------+-------------+-----------------------| | Asterisk Open Source | 1.2.x | Not affected | |----------------------------------+-------------+-----------------------| | Asterisk Open Source | 1.4.x | All versions prior to | | | | 1.4.11 | |----------------------------------+-------------+-----------------------| | Asterisk Business Edition | A.x.x | Not affected | |----------------------------------+-------------+-----------------------| | Asterisk Business Edition | B.x.x | Not affected | |----------------------------------+-------------+-----------------------| | AsteriskNOW | pre-release | All versions prior to | | | | beta7 | |----------------------------------+-------------+-----------------------| | Asterisk Appliance Developer Kit | 0.x.x | All versions prior to | | | | 0.8.0 | |----------------------------------+-------------+-----------------------| | s800i (Asterisk Appliance) | 1.0.x | All versions prior to | | | | 1.0.3 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Corrected In | |------------------------------------------------------------------------| | Product | Release | |---------------+--------------------------------------------------------| | Asterisk Open | 1.4.11, available from | | Source | http://downloads.digium.com/pub/telephony/asterisk | |---------------+--------------------------------------------------------| | AsteriskNOW | Beta7, available from http://www.asterisknow.org/. | | | Beta5 and Beta6 users can update using the system | | | update feature in the appliance control panel. | |---------------+--------------------------------------------------------| | Asterisk | 0.8.0, available from | | Appliance | http://downloads.digium.com/pub/telephony/aadk | | Developer Kit | | |---------------+--------------------------------------------------------| | s800i | 1.0.3 | | (Asterisk | | | Appliance) | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Links | http://bugs.digium.com/view.php?id=10421 | | | | | | http://bugs.digium.com/view.php?id=10418 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security. | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/asa/AST-2007-020.pdf and | | http://downloads.digium.com/pub/asa/AST-2007-020.html. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Revision History | |------------------------------------------------------------------------| | Date | Editor | Revisions Made | |---------------------+------------------------+-------------------------| | August 21, 2007 | russell at digium.com | Initial Release | +------------------------------------------------------------------------+ Asterisk Project Security Advisory - AST-2007-020 Copyright (c) 2007 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.