Asterisk Project Security Advisory - AST-2012-001 +------------------------------------------------------------------------+ | Product | Asterisk | |----------------------+-------------------------------------------------| | Summary | SRTP Video Remote Crash Vulnerability | |----------------------+-------------------------------------------------| | Nature of Advisory | Denial of Service | |----------------------+-------------------------------------------------| | Susceptibility | Remote unauthenticated sessions | |----------------------+-------------------------------------------------| | Severity | Moderate | |----------------------+-------------------------------------------------| | Exploits Known | No | |----------------------+-------------------------------------------------| | Reported On | 2012-01-15 | |----------------------+-------------------------------------------------| | Reported By | Catalin Sanda | |----------------------+-------------------------------------------------| | Posted On | 2012-01-19 | |----------------------+-------------------------------------------------| | Last Updated On | January 19, 2012 | |----------------------+-------------------------------------------------| | Advisory Contact | Joshua Colp < jcolp AT digium DOT com > | |----------------------+-------------------------------------------------| | CVE Name | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Description | An attacker attempting to negotiate a secure video | | | stream can crash Asterisk if video support has not been | | | enabled and the res_srtp Asterisk module is loaded. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Resolution | Upgrade to one of the versions of Asterisk listed in the | | | "Corrected In" section, or apply a patch specified in the | | | "Patches" section. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Affected Versions | |------------------------------------------------------------------------| | Product | Release Series | | |-------------------------------+----------------+-----------------------| | Asterisk Open Source | 1.8.x | All versions | |-------------------------------+----------------+-----------------------| | Asterisk Open Source | 10.x | All versions | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Corrected In | |------------------------------------------------------------------------| | Product | Release | |------------------------------------------+-----------------------------| | Asterisk Open Source | 1.8.8.2 | |------------------------------------------+-----------------------------| | Asterisk Open Source | 10.0.1 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Patches | |------------------------------------------------------------------------| | SVN URL |Branch| |-----------------------------------------------------------------+------| |http://downloads.asterisk.org/pub/security/AST-2012-001-1.8.diff |v1.8 | |-----------------------------------------------------------------+------| |http://downloads.asterisk.org/pub/security/AST-2012-001-10.diff |v10 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Links | https://issues.asterisk.org/jira/browse/ASTERISK-19202 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/security/AST-2012-001.pdf and | | http://downloads.digium.com/pub/security/AST-2012-001.html | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Revision History | |------------------------------------------------------------------------| | Date | Editor | Revisions Made | |-----------------+--------------------+---------------------------------| | 12-01-19 | Joshua Colp | Initial release | +------------------------------------------------------------------------+ Asterisk Project Security Advisory - AST-2012-001 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.