Asterisk Project Security Advisory - AST-2009-010

Product

Asterisk

Summary

RTP Remote Crash Vulnerability

Nature of Advisory

Denial of Service

Susceptibility

Remote unauthenticated sessions

Severity

Critical

Exploits Known

No

Reported On

November 13, 2009

Reported By

issues.asterisk.org user amorsen

Posted On

November 30, 2009

Last Updated On

November 30, 2009

Advisory Contact

David Vossel < dvossel AT digium DOT com >

CVE Name

CVE-2009-4055



Description

An attacker sending a valid RTP comfort noise payload containing a data length of 24 bytes or greater can remotely crash Asterisk.


Resolution

Upgrade to one of the versions of Asterisk listed in the “Corrected In” section, or apply a patch specified in the “Patches” section.


Affected Versions

Product

Release Series


Asterisk Open Source

1.2.x

All versions

Asterisk Open Source

1.4.x

All versions

Asterisk Open Source

1.6.x

All versions

Asterisk Business Edition

B.x.x

All versions

Asterisk Business Edition

C.x.x

All versions

s800i (Asterisk Appliance)

1.3.x

All versions


Corrected In

Product

Release

Asterisk Open Source

1.2.37

Asterisk Open Source

1.4.27.1

Asterisk Open Source

1.6.0.19

Asterisk Open Source

1.6.1.11

Asterisk Business Edition

B.2.5.13

Asterisk Business Edition

C.2.4.6

Asterisk Business Edition

C.3.2.3

S800i (Asterisk Appliance)

1.3.0.6


Patches

Link

Branch

http://downloads.asterisk.org/pub/security/AST-2009-010-1.2.diff.txt

1.2

http://downloads.asterisk.org/pub/security/AST-2009-010-1.4.diff.txt

1.4

http://downloads.asterisk.org/pub/security/AST-2009-010-1.6.0.diff.txt

1.6.0

http://downloads.asterisk.org/pub/security/AST-2009-010-1.6.1.diff.txt

1.6.1



Links

https://issues.asterisk.org/view.php?id=16242


Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2009-010.pdf and http://downloads.digium.com/pub/security/AST-2009-010.html


Revision History

Date

Editor

Revisions Made

2009-09-03

David Vossel

Initial release


Asterisk Project Security Advisory - AST-2009-010
Copyright © 2009 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.