AOH :: HP Unsorted R :: BT-22066.HTM

RTP Remote Crash Vulnerability



AST-2009-010: RTP Remote Crash Vulnerability
AST-2009-010: RTP Remote Crash Vulnerability



               Asterisk Project Security Advisory - AST-2009-010

   +------------------------------------------------------------------------+
   |       Product        | Asterisk                                        |
   |----------------------+-------------------------------------------------|
   |       Summary        | RTP Remote Crash Vulnerability                  |
   |----------------------+-------------------------------------------------|
   |  Nature of Advisory  | Denial of Service                               |
   |----------------------+-------------------------------------------------|
   |    Susceptibility    | Remote unauthenticated sessions                 |
   |----------------------+-------------------------------------------------|
   |       Severity       | Critical                                        |
   |----------------------+-------------------------------------------------|
   |    Exploits Known    | No                                              |
   |----------------------+-------------------------------------------------|
   |     Reported On      | November 13, 2009                               |
   |----------------------+-------------------------------------------------|
   |     Reported By      | issues.asterisk.org user amorsen                |
   |----------------------+-------------------------------------------------|
   |      Posted On       | November 30, 2009                               |
   |----------------------+-------------------------------------------------|
   |   Last Updated On    | November 30, 2009                               |
   |----------------------+-------------------------------------------------|
   |   Advisory Contact   | David Vossel < dvossel AT digium DOT com >      |
   |----------------------+-------------------------------------------------|
   |       CVE Name       | CVE-2009-4055                                   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | An attacker sending a valid RTP comfort noise payload    |
   |             | containing a data length of 24 bytes or greater can      |
   |             | remotely crash Asterisk.                                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | Upgrade to one of the versions of Asterisk listed in the  |
   |            | "Corrected In" section, or apply a patch specified in the |
   |            | "Patches" section.                                        |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |             Product              | Release Series |                    |
   |----------------------------------+----------------+--------------------|
   |       Asterisk Open Source       |     1.2.x      | All versions       |
   |----------------------------------+----------------+--------------------|
   |       Asterisk Open Source       |     1.4.x      | All versions       |
   |----------------------------------+----------------+--------------------|
   |       Asterisk Open Source       |     1.6.x      | All versions       |
   |----------------------------------+----------------+--------------------|
   |    Asterisk Business Edition     |     B.x.x      | All versions       |
   |----------------------------------+----------------+--------------------|
   |    Asterisk Business Edition     |     C.x.x      | All versions       |
   |----------------------------------+----------------+--------------------|
   |    s800i (Asterisk Appliance)    |     1.3.x      | All versions       |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |                   Product                   |         Release          |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |          1.2.37          |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |         1.4.27.1         |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |         1.6.0.19         |
   |---------------------------------------------+--------------------------|
   |            Asterisk Open Source             |         1.6.1.11         |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         B.2.5.13         |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         C.2.4.6          |
   |---------------------------------------------+--------------------------|
   |          Asterisk Business Edition          |         C.3.2.3          |
   |---------------------------------------------+--------------------------|
   |         S800i (Asterisk Appliance)          |         1.3.0.6          |
   +------------------------------------------------------------------------+

 +-----------------------------------------------------------------------------+
 |                                   Patches                                   |
 |-----------------------------------------------------------------------------|
 |                                 Link                                 |Branch|
 |----------------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2009-010-1.2.diff.txt |1.2 | 
 |----------------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2009-010-1.4.diff.txt |1.4 | 
 |----------------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2009-010-1.6.0.diff.txt|1.6.0 | 
 |----------------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2009-010-1.6.1.diff.txt|1.6.1 | 
 +-----------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |     Links      | https://issues.asterisk.org/view.php?id=16242         |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
| http://www.asterisk.org/security | 
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
| http://downloads.digium.com/pub/security/AST-2009-010.pdf and | 
| http://downloads.digium.com/pub/security/AST-2009-010.html | 
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |       Date       |       Editor        |        Revisions Made         |
   |------------------+---------------------+-------------------------------|
   | 2009-09-03       | David Vossel        | Initial release               |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2009-010
              Copyright (c) 2009 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.


The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.