Product

Asterisk

Summary

Resource exhaustion in Asterisk Manager Interface

Nature of Advisory

Denial of Service

Susceptibility

Remote Unauthenticated Sessions if manager interface is accessible

Severity

Moderate

Exploits Known

No

Reported On

March 1, 2011

Reported By

Blake Cornell <blake@remoteorigin.com>

Posted On

March 16, 2011

Last Updated On

March 17, 2011

Advisory Contact

Terry Wilson <twilson@digium.com>

Description

Rapidly opening manager connections, sending invalid data, and closing the connection can cause Asterisk to exhaust available CPU and memory resources. The manager interface is disabled by default.

Resolution

Failed writes to manager clients are flagged and the connection closed.

Affected Versions

Product

Release Series

Asterisk Open Source

1.6.1.x

All versions

Asterisk Open Source

1.6.2.x

All versions

Asterisk Open Source

1.8.x

All versions

Corrected In

Product

Release

Asterisk Open Source

1.6.1.24, 1.6.2.17.2, 1.8.3.2

Patches

URL

Branch

http://downloads.asterisk.org/pub/security/AST-2011-003-1.6.1.diff

1.6.1

http://downloads.asterisk.org/pub/security/AST-2011-003-1.6.2.diff

1.6.2

http://downloads.asterisk.org/pub/security/AST-2011-003-1.8.diff

1.8

Links

Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2011-003AST-2011-003AST-2011-003.pdf and http://downloads.digium.com/pub/security/AST-2011-003AST-2011-003AST-2011-003.html

Revision History

Date

Editor

Revisions Made

2011-03-14

Terry Wilson

Initial release

2011-03-17

Matthew Nicholson

Updated patches and release versions with bugfix