Asterisk
Project Security Advisory -
|
Product |
Asterisk |
|
Summary |
Remote crash vulnerability in IAX2 |
|
Nature of Advisory |
Remote Crash |
|
Susceptibility |
Remote Unauthenticated Sessions |
|
Severity |
Major |
|
Exploits Known |
No |
|
Reported On |
November 22, 2008 |
|
Reported By |
Jon Leren Schøpzinsky |
|
Posted On |
|
|
Last Updated On |
|
|
Advisory Contact |
Mark Michelson <mmichelson AT digium DOT com> |
|
CVE Name |
CVE-2008-5558 |
|
Description |
There is a possibility to remotely crash an Asterisk server if the server is configured to use realtime IAX2 users. The issue occurs if either an unknown user attempts to authenticate or if a user that uses hostname matching attempts to authenticate.
The problem was due to a broken function call to Asterisk's realtime configuration API. |
|
Resolution |
The function calls in question have been fixed. |
|
Affected Versions |
||
|
Product |
Release Series |
|
|
Asterisk Open Source |
1.2.x |
1.2.26-1.2.30.3 |
|
Asterisk Open Source |
1.4.x |
Unaffected |
|
Asterisk Open Source |
1.6.x |
Unaffected |
|
Asterisk Addons |
1.2.x |
Unaffected |
|
Asterisk Addons |
1.4.x |
Unaffected |
|
Asterisk Addons |
1.6.x |
Unaffected |
|
Asterisk Business Edition |
A.x.x |
Unaffected |
|
Asterisk Business Edition |
B.x.x |
B.2.3.5-B.2.5.5 |
|
Asterisk Business Edition |
C.x.x |
Unaffected |
|
AsteriskNOW |
1.5 |
Unaffected |
|
s800i (Asterisk Appliance) |
1.2.x |
Unaffected |
|
Corrected In |
|
|
Product |
Release |
|
Asterisk Open Source |
1.2.30.4 |
|
Asterisk Business Edition |
B.2.5.6 |
|
|
|
|
Patches |
|
|
SVN URL |
Revision |
|
http://svn.digium.com/svn/asterisk/branches/1.2 |
162868 |
|
|
|
|
Links |
|
|
Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later
versions; if so, the latest version will be posted at
http://downloads.digium.com/pub/security/ |
|
Revision History |
||
|
Date |
Editor |
Revisions Made |
|
November 23, 2008 |
Mark Michelson |
Initial draft |
|
December 9, 2008 |
Mark Michelson |
Added “Corrected In” versions |
|
December 12, 2008 |
Mark Michelson |
Added Patches section with links to subversion branch and revision |
|
December 15, 2008 |
Mark Michelson |
Added CVE name |
Asterisk
Project Security Advisory -
Copyright
©
Permission is hereby granted
to distribute and publish this advisory in its original, unaltered
form.