Asterisk Project Security Advisory - ASA-2007-017 +------------------------------------------------------------------------+ | Product | Asterisk | |--------------------+---------------------------------------------------| | Summary | Remote Crash Vulnerability in STUN implementation | |--------------------+---------------------------------------------------| | Nature of Advisory | Denial of Service | |--------------------+---------------------------------------------------| | Susceptibility | Remote Unauthenticated Sessions | |--------------------+---------------------------------------------------| | Severity | Critical | |--------------------+---------------------------------------------------| | Exploits Known | No | |--------------------+---------------------------------------------------| | Reported On | July 13, 2007 | |--------------------+---------------------------------------------------| | Reported By | Will Drewry, Google Security Team | |--------------------+---------------------------------------------------| | Posted On | July 17, 2007 | |--------------------+---------------------------------------------------| | Last Updated On | July 17, 2007 | |--------------------+---------------------------------------------------| | Advisory Contact | Joshua Colp <jcolp at digium.com> | |--------------------+---------------------------------------------------| | CVE Name | CVE-2007-3765 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Description | The Asterisk STUN implementation in the RTP stack has a | | | remotely exploitable crash vulnerability. A pointer may | | | run past accessible memory if Asterisk receives a | | | specially crafted STUN packet on an active RTP port. | | | | | | The code that parses the incoming STUN packets | | | incorrectly checks that the length indicated in the STUN | | | attribute and the size of the STUN attribute header does | | | not exceed the available data. This will cause the data | | | pointer to run past accessible memory and when accessed | | | will cause a crash. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Resolution | All users that have chan_sip, chan_gtalk, chan_jingle, | | | chan_h323, chan_mgcp, or chan_skinny enabled on an | | | affected version should upgrade to the appropriate | | | version listed in the correct in section of this | | | advisory. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Affected Versions | |------------------------------------------------------------------------| | Product | Release | | | | Series | | |----------------------------------+-------------+-----------------------| | Asterisk Open Source | 1.0.x | None affected | |----------------------------------+-------------+-----------------------| | Asterisk Open Source | 1.2.x | None affected | |----------------------------------+-------------+-----------------------| | Asterisk Open Source | 1.4.x | All versions prior to | | | | 1.4.8 | |----------------------------------+-------------+-----------------------| | Asterisk Business Edition | A.x.x | None affected | |----------------------------------+-------------+-----------------------| | Asterisk Business Edition | B.x.x | None affected | |----------------------------------+-------------+-----------------------| | AsteriskNOW | pre-release | All versions prior to | | | | beta7 | |----------------------------------+-------------+-----------------------| | Asterisk Appliance Developer Kit | 0.x.x | All versions prior to | | | | 0.5.0 | |----------------------------------+-------------+-----------------------| | s800i (Asterisk Appliance) | 1.0.x | All versions prior to | | | | 1.0.2 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Corrected In | |------------------------------------------------------------------------| | Product | Release | |-----------------+------------------------------------------------------| | Asterisk Open | 1.4.8 available from | | Source | ftp://ftp.digium.com/pub/telephony/asterisk | |-----------------+------------------------------------------------------| | AsteriskNOW | Beta7, available from http://www.asterisknow.org/. | | | Beta5 and Beta6 users can update using the system | | | update feature in the appliance control panel. | |-----------------+------------------------------------------------------| | Asterisk | 0.5.0, available from | | Appliance | ftp://ftp.digium.com/pub/telephony/aadk/ | | Developer Kit | | |-----------------+------------------------------------------------------| | s800i (Asterisk | 1.0.2 | | Appliance) | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Links | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security. | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://ftp.digium.com/pub/asa/ASA-2007-017.pdf. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Revision History | |------------------------------------------------------------------------| | Date | Editor | Revisions Made | |--------------------+-----------------------+---------------------------| | July 17, 2006 | jcolp at digium.com | Initial Release | +------------------------------------------------------------------------+ Asterisk Project Security Advisory - ASA-2007-017 Copyright (c) 2007 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.