AOH :: HP Unsorted S :: TB11667.HTM

STUN implementation remote crash



ASA-2007-017: Remote Crash Vulnerability in STUN implementation
ASA-2007-017: Remote Crash Vulnerability in STUN implementation



               Asterisk Project Security Advisory - ASA-2007-017

   +------------------------------------------------------------------------+
   |      Product       | Asterisk                                          |
   |--------------------+---------------------------------------------------|
   |      Summary       | Remote Crash Vulnerability in STUN implementation |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Denial of Service                                 |
   |--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote Unauthenticated Sessions                   |
   |--------------------+---------------------------------------------------|
   |      Severity      | Critical                                          |
   |--------------------+---------------------------------------------------|
   |   Exploits Known   | No                                                |
   |--------------------+---------------------------------------------------|
   |    Reported On     | July 13, 2007                                     |
   |--------------------+---------------------------------------------------|
   |    Reported By     | Will Drewry, Google Security Team                 |
   |--------------------+---------------------------------------------------|
   |     Posted On      | July 17, 2007                                     |
   |--------------------+---------------------------------------------------|
   |  Last Updated On   | July 17, 2007                                     |
   |--------------------+---------------------------------------------------|
| Advisory Contact | Joshua Colp  | 
   |--------------------+---------------------------------------------------|
   |      CVE Name      | CVE-2007-3765                                     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | The Asterisk STUN implementation in the RTP stack has a  |
   |             | remotely exploitable crash vulnerability. A pointer may  |
   |             | run past accessible memory if Asterisk receives a        |
   |             | specially crafted STUN packet on an active RTP port.     |
   |             |                                                          |
   |             | The code that parses the incoming STUN packets           |
   |             | incorrectly checks that the length indicated in the STUN |
   |             | attribute and the size of the STUN attribute header does |
   |             | not exceed the available data. This will cause the data  |
   |             | pointer to run past accessible memory and when accessed  |
   |             | will cause a crash.                                      |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | All users that have chan_sip, chan_gtalk, chan_jingle,    |
   |            | chan_h323, chan_mgcp, or chan_skinny enabled on an        |
   |            | affected version should upgrade to the appropriate        |
   |            | version listed in the correct in section of this          |
   |            | advisory.                                                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |             Product              |   Release   |                       |
   |                                  |   Series    |                       |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.0.x    | None affected         |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.2.x    | None affected         |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.4.x    | All versions prior to |
   |                                  |             | 1.4.8                 |
   |----------------------------------+-------------+-----------------------|
   |    Asterisk Business Edition     |    A.x.x    | None affected         |
   |----------------------------------+-------------+-----------------------|
   |    Asterisk Business Edition     |    B.x.x    | None affected         |
   |----------------------------------+-------------+-----------------------|
   |           AsteriskNOW            | pre-release | All versions prior to |
   |                                  |             | beta7                 |
   |----------------------------------+-------------+-----------------------|
   | Asterisk Appliance Developer Kit |    0.x.x    | All versions prior to |
   |                                  |             | 0.5.0                 |
   |----------------------------------+-------------+-----------------------|
   |    s800i (Asterisk Appliance)    |    1.0.x    | All versions prior to |
   |                                  |             | 1.0.2                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |     Product     |                       Release                        |
   |-----------------+------------------------------------------------------|
   |  Asterisk Open  |                 1.4.8 available from                 |
| Source | ftp://ftp.digium.com/pub/telephony/asterisk | 
   |-----------------+------------------------------------------------------|
| AsteriskNOW | Beta7, available from http://www.asterisknow.org/. | 
   |                 |  Beta5 and Beta6 users can update using the system   |
   |                 |    update feature in the appliance control panel.    |
   |-----------------+------------------------------------------------------|
   |    Asterisk     |                0.5.0, available from                 |
| Appliance | ftp://ftp.digium.com/pub/telephony/aadk/ | 
   |  Developer Kit  |                                                      |
   |-----------------+------------------------------------------------------|
   | s800i (Asterisk |                        1.0.2                         |
   |   Appliance)    |                                                      |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links        |                                                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
| http://www.asterisk.org/security. | 
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
| http://ftp.digium.com/pub/asa/ASA-2007-017.pdf. | 
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |        Date        |        Editor         |      Revisions Made       |
   |--------------------+-----------------------+---------------------------|
| July 17, 2006 | jcolp@digium.com | Initial Release | 
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - ASA-2007-017
              Copyright (c) 2007 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.