Asterisk Project Security Advisory - AST-2009-010 +------------------------------------------------------------------------+ | Product | Asterisk | |----------------------+-------------------------------------------------| | Summary | RTP Remote Crash Vulnerability | |----------------------+-------------------------------------------------| | Nature of Advisory | Denial of Service | |----------------------+-------------------------------------------------| | Susceptibility | Remote unauthenticated sessions | |----------------------+-------------------------------------------------| | Severity | Critical | |----------------------+-------------------------------------------------| | Exploits Known | No | |----------------------+-------------------------------------------------| | Reported On | November 13, 2009 | |----------------------+-------------------------------------------------| | Reported By | issues.asterisk.org user amorsen | |----------------------+-------------------------------------------------| | Posted On | November 30, 2009 | |----------------------+-------------------------------------------------| | Last Updated On | November 30, 2009 | |----------------------+-------------------------------------------------| | Advisory Contact | David Vossel < dvossel AT digium DOT com > | |----------------------+-------------------------------------------------| | CVE Name | CVE-2009-4055 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Description | An attacker sending a valid RTP comfort noise payload | | | containing a data length of 24 bytes or greater can | | | remotely crash Asterisk. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Resolution | Upgrade to one of the versions of Asterisk listed in the | | | "Corrected In" section, or apply a patch specified in the | | | "Patches" section. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Affected Versions | |------------------------------------------------------------------------| | Product | Release Series | | |----------------------------------+----------------+--------------------| | Asterisk Open Source | 1.2.x | All versions | |----------------------------------+----------------+--------------------| | Asterisk Open Source | 1.4.x | All versions | |----------------------------------+----------------+--------------------| | Asterisk Open Source | 1.6.x | All versions | |----------------------------------+----------------+--------------------| | Asterisk Business Edition | B.x.x | All versions | |----------------------------------+----------------+--------------------| | Asterisk Business Edition | C.x.x | All versions | |----------------------------------+----------------+--------------------| | s800i (Asterisk Appliance) | 1.3.x | All versions | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Corrected In | |------------------------------------------------------------------------| | Product | Release | |---------------------------------------------+--------------------------| | Asterisk Open Source | 1.2.37 | |---------------------------------------------+--------------------------| | Asterisk Open Source | 1.4.27.1 | |---------------------------------------------+--------------------------| | Asterisk Open Source | 1.6.0.19 | |---------------------------------------------+--------------------------| | Asterisk Open Source | 1.6.1.11 | |---------------------------------------------+--------------------------| | Asterisk Business Edition | B.2.5.13 | |---------------------------------------------+--------------------------| | Asterisk Business Edition | C.2.4.6 | |---------------------------------------------+--------------------------| | Asterisk Business Edition | C.3.2.3 | |---------------------------------------------+--------------------------| | S800i (Asterisk Appliance) | 1.3.0.6 | +------------------------------------------------------------------------+ +-----------------------------------------------------------------------------+ | Patches | |-----------------------------------------------------------------------------| | Link |Branch| |----------------------------------------------------------------------+------| |http://downloads.asterisk.org/pub/security/AST-2009-010-1.2.diff.txt |1.2 | |----------------------------------------------------------------------+------| |http://downloads.asterisk.org/pub/security/AST-2009-010-1.4.diff.txt |1.4 | |----------------------------------------------------------------------+------| |http://downloads.asterisk.org/pub/security/AST-2009-010-1.6.0.diff.txt|1.6.0 | |----------------------------------------------------------------------+------| |http://downloads.asterisk.org/pub/security/AST-2009-010-1.6.1.diff.txt|1.6.1 | +-----------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Links | https://issues.asterisk.org/view.php?id=16242 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/security/AST-2009-010.pdf and | | http://downloads.digium.com/pub/security/AST-2009-010.html | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Revision History | |------------------------------------------------------------------------| | Date | Editor | Revisions Made | |------------------+---------------------+-------------------------------| | 2009-09-03 | David Vossel | Initial release | +------------------------------------------------------------------------+ Asterisk Project Security Advisory - AST-2009-010 Copyright (c) 2009 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.