Asterisk Project Security Advisory - AST-2008-012

Product

Asterisk

Summary

Remote crash vulnerability in IAX2

Nature of Advisory

Remote Crash

Susceptibility

Remote Unauthenticated Sessions

Severity

Major

Exploits Known

No

Reported On

November 22, 2008

Reported By

Jon Leren Schøpzinsky

Posted On


Last Updated On

December 15, 2008

Advisory Contact

Mark Michelson <mmichelson AT digium DOT com>

CVE Name

CVE-2008-5558



Description

There is a possibility to remotely crash an Asterisk server if the server is configured to use realtime IAX2 users. The issue occurs if either an unknown user attempts to authenticate or if a user that uses hostname matching attempts to authenticate.


The problem was due to a broken function call to Asterisk's realtime configuration API.


Resolution

The function calls in question have been fixed.


Affected Versions

Product

Release Series


Asterisk Open Source

1.2.x

1.2.26-1.2.30.3

Asterisk Open Source

1.4.x

Unaffected

Asterisk Open Source

1.6.x

Unaffected

Asterisk Addons

1.2.x

Unaffected

Asterisk Addons

1.4.x

Unaffected

Asterisk Addons

1.6.x

Unaffected

Asterisk Business Edition

A.x.x

Unaffected

Asterisk Business Edition

B.x.x

B.2.3.5-B.2.5.5

Asterisk Business Edition

C.x.x

Unaffected

AsteriskNOW

1.5

Unaffected

s800i (Asterisk Appliance)

1.2.x

Unaffected


Corrected In

Product

Release

Asterisk Open Source

1.2.30.4

Asterisk Business Edition

B.2.5.6




Patches

SVN URL

Revision

http://svn.digium.com/svn/asterisk/branches/1.2

162868




Links



Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2008-012.pdf and http://downloads.digium.com/pub/security/AST-2008-012.html


Revision History

Date

Editor

Revisions Made

November 23, 2008

Mark Michelson

Initial draft

December 9, 2008

Mark Michelson

Added “Corrected In” versions

December 12, 2008

Mark Michelson

Added Patches section with links to subversion branch and revision

December 15, 2008

Mark Michelson

Added CVE name


Asterisk Project Security Advisory - AST-2008-012
Copyright © 2008 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.