[UNIX] Asterisk SIP DoS Vulnerability (Empty REGISTER)



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Asterisk SIP DoS Vulnerability (Empty REGISTER)
------------------------------------------------------------------------


SUMMARY

" <http://www.asterisk.org/> Asterisk is the most popular and extensible
open source telephone system in the world, offering flexibility,
functionality and features not available in advanced, high-end (high-cost)
proprietary business systems. Asterisk is a complete IP PBX (private
branch exchange) for businesses, and can be downloaded for free." Due to
bad handling by Asterisk's SIP parser, a remote attacker can cause the
product to crash by sending it a malformed SIP REGISTER request.

DETAILS

Vulnerable Systems:
* Asterisk versions 1.2.15 and 1.4.0, and earlier.

Asterisk crashes when handed an otherwise valid request message but with
no URI and no SIP-version in the request-line of the message. For
example, "REGISTER\r\n <other valid SIP headers>". The crash is due to a
null pointer dereference, and does not appear to be otherwise exploitable.

Vendor Status:
Fixed in releases 1.2.16 and 1.4.1.
Available from <http://www.asterisk.org> http://www.asterisk.org

Disclosure Timeline:
* March 1, 2007 - First contact with vendor
* March 2, 2007 - Vendor acknowledges vulnerability
* March 7, 2007 - Advisory released
* March 9, 2007 - Advisory updated with correct dates


ADDITIONAL INFORMATION

The information has been provided by musecurity.
The original article can be found at:
<http://labs.musecurity.com/advisories/MU-200703-01.txt>
http://labs.musecurity.com/advisories/MU-200703-01.txt



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [UNIX] IAX2 Channel Driver Resource Exhaustion Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The IAX2 channel driver in Asterisk is vulnerable to a Denial of Service ...
    (Securiteam)
  • [UNIX] Asterisk Skinny Unauthenticated Heap Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Asterisk Skinny Unauthenticated Heap Overflow ... Asterisk is "The Opensource PBX", ... Asterisk version 1.2.12.1 and prior ...
    (Securiteam)
  • [NEWS] IAX2 Incomplete 3-Way Handshake (Spoofing)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... IAX2 Incomplete 3-Way Handshake ... Asterisk Business Edition A.x.x - all versions ... of the ACK response and that the ACK response could be spoofed, ...
    (Securiteam)
  • [UNIX] AsteriDex Code Execution (Asterisk and Trixbox)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... AsteriDex Code Execution (Asterisk and Trixbox) ... of arbitrary operating system commands as the 'asterisk' user. ... Originate' command which is used to ...
    (Securiteam)
  • [UNIX] Asterisk Manager Interface Buffer Overflow Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... " <http://www.asterisk.org/> Asterisk is a complete PBX in software. ... A Buffer Overflow with manager interface allow attackers to execute ... If the command string is specifically crafted, is it possible to use this ...
    (Securiteam)