Asterisk
Project Security Advisory -
|
Product |
Asterisk |
|
Summary |
Multiple problems in SIP channel parser handling response codes |
|
Nature of Advisory |
Denial of Service |
|
Susceptibility |
Remote Unauthenticated Sessions |
|
Severity |
Critical |
|
Exploits Known |
No |
|
Reported On |
March 20, 2007 |
|
Reported By |
Mantis user ID 'qwerty1979' |
|
Posted On |
April 24, 2007 |
|
Last Updated On |
|
|
Advisory Contact |
kpfleming@digium.com |
|
CVE Name |
CVE-2007-1594 |
|
Description |
Multiple problems have been identified in the Asterisk SIP channel driver (chan_sip) when handling response packets from other SIP endpoints.
If the response packets did not contain a valid response code in the first line of the UDP packet, the Asterisk SIP channel driver would fail to parse the packet properly and would cause the Asterisk process to die with a segmentation fault. This results in all active calls and other sessions being lost.
More details about these issues can be found at http://bugs.digium.com/view.php?id=9313. |
|
Resolution |
All users are urged to upgrade to the appropriate version of their Asterisk product listed in the 'Corrected In' section below. |
|
Affected Versions |
||
|
Product |
Release Series |
|
|
Asterisk Open Source |
1.0.x |
has not been evaluated as this release series is no longer maintained |
|
Asterisk Open Source |
1.2.x |
all releases prior to 1.2.18 |
|
Asterisk Open Source |
1.4.x |
all releases prior to 1.4.3 |
|
Asterisk Business Edition |
A.x.x |
all releases |
|
Asterisk Business Edition |
B.x.x |
all releases prior to and including B.1.3.2 |
|
AsteriskNOW |
pre-release |
all releases prior to and including Beta 5 |
|
Asterisk Appliance Developer Kit |
0.x.x |
all releases prior to 0.4.0 |
|
Corrected In |
|
|
Product |
Release |
|
Asterisk Open Source |
1.2.18 and 1.4.3, available from http://downloads.digium.com/pub/telephony/asterisk |
|
Asterisk Business Edition |
B.1.3.3, available from the Asterisk Business Edition user portal on http://www.digium.com or via Digium Technical Support |
|
AsteriskNOW |
Beta 6, when available from http://www.asterisknow.org, Beta 5 users can use use 'System Update' in the appliance control panel to update their version of AsteriskNOW |
|
Asterisk Appliance Developer Kit |
0.4.0, available from http://downloads.digium.com/pub/telephony/aadk |
|
Links |
http://bugs.digium.com/view.php?id=9313 |
|
Asterisk Project Security Advisories are posted at http://www.asterisk.org/security. This document may be superseded by later
versions; if so, the latest version will be posted at
http://downloads.digium.com/pub/asa/ |
|
Revision History |
||
|
Date |
Editor |
Revisions Made |
|
April 24, 2007 |
Initial Release |
|
|
April 25, 2007 |
added CVE Name and updated URL |
|
|
August 21, 2007 |
russell@digium.com |
Changed name prefix from ASA to AST, changed ftp.digium.com to downloads.digium.com |
Asterisk
Project Security Advisory -
Copyright
©
Permission is hereby granted
to distribute and publish this advisory in its original, unaltered
form.