[NEWS] Remote Crash Vulnerability in Asterisk's Skinny Channel Driver



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Remote Crash Vulnerability in Asterisk's Skinny Channel Driver
------------------------------------------------------------------------


SUMMARY

A security vulnerability in Asterisk's Skinny protocol allows remote
attackers to cause the Asterisk server to crash by sending it a malformed
Skinny packet.

DETAILS

Vulnerable Systems:
* Asterisk Open Source versions prior to 1.4.8
* AsteriskNOW prerelease versions prior to beta7
* Asterisk Appliance Developer Kit versions prior to 0.5.0
* s800i (Asterisk Appliance) versions prior to 1.0.2

Immune Systems:
* Asterisk Open Source version 1.4.8
* AsteriskNOW Beta7
* Asterisk Appliance Developer Kit version 0.5.0
* s800i (Asterisk Appliance) version 1.0.2

The Asterisk Skinny channel driver, chan_skinny, has a remotely
exploitable crash vulnerability. A segfault can occur when Asterisk
receives a packet where the claimed length of the data is between 0 and 3,
followed by length + 4 or more bytes, due to an overly large memcpy. The
side effects of this extremely large memcpy have not been investigated.

Resolution:
All users that have chan_skinny enabled should upgrade to the appropriate
version listed in the corrected in section of this advisory. As a
workaround, users who do not require chan_skinny may add the line "noload
=> chan_skinny.so" (without quotes) to /etc/asterisk/modules.conf, and
restart Asterisk.


ADDITIONAL INFORMATION

The information has been provided by <mailto:jparker@xxxxxxxxxx> Jason
Parker.
The original article can be found at:
<http://ftp.digium.com/pub/asa/ASA-2007-016.pdf>
http://ftp.digium.com/pub/asa/ASA-2007-016.pdf



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [UNIX] IAX2 Channel Driver Resource Exhaustion Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The IAX2 channel driver in Asterisk is vulnerable to a Denial of Service ...
    (Securiteam)
  • [UNIX] Asterisk Skinny Unauthenticated Heap Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Asterisk Skinny Unauthenticated Heap Overflow ... Asterisk is "The Opensource PBX", ... Asterisk version 1.2.12.1 and prior ...
    (Securiteam)
  • [NEWS] IAX2 Incomplete 3-Way Handshake (Spoofing)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... IAX2 Incomplete 3-Way Handshake ... Asterisk Business Edition A.x.x - all versions ... of the ACK response and that the ACK response could be spoofed, ...
    (Securiteam)
  • [UNIX] AsteriDex Code Execution (Asterisk and Trixbox)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... AsteriDex Code Execution (Asterisk and Trixbox) ... of arbitrary operating system commands as the 'asterisk' user. ... Originate' command which is used to ...
    (Securiteam)
  • [UNIX] Asterisk Manager Interface Buffer Overflow Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... " <http://www.asterisk.org/> Asterisk is a complete PBX in software. ... A Buffer Overflow with manager interface allow attackers to execute ... If the command string is specifically crafted, is it possible to use this ...
    (Securiteam)