[NEWS] Remote Crash Vulnerability in Asterisk's IAX2 Channel Driver

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.

- - - - - - - - -

Remote Crash Vulnerability in Asterisk's IAX2 Channel Driver


The Asterisk IAX2 channel driver, chan_iax2, has a remotely exploitable
crash vulnerability. A NULL pointer exception can occur when Asterisk
receives a LAGRQ or LAGRP frame that is part of a valid session and
includes information elements. The session used to exploit this issue does
not have to be authenticated. It can simply be a NEW packet sent with an
invalid username.


Vulnerable Systems:
* Asterisk Open Source versions prior to 1.2.22
* Asterisk Open Source versions prior to 1.4.8
* Asterisk Business Edition versions prior to B.2.2.1
* AsteriskNOW prerelease versions prior to beta7
* Asterisk Appliance Developer Kit versions prior to 0.5.0
* s800i (Asterisk Appliance) versions prior to 1.0.2

Immune Systems:
* Asterisk Open Source version 1.2.22
* Asterisk Open Source version 1.4.8
* Asterisk Business Edition B.2.2.1
* AsteriskNOW Beta7
* Asterisk Appliance Developer Kit version 0.5.0
* s800i (Asterisk Appliance) version 1.0.2

The code that parses the incoming frame correctly parses the information
elements of IAX frames. It then sets a pointer to NULL to indicate that
there is not a raw data payload associated with this frame. However, it
does not set the variable that indicates the number of bytes in the raw
payload back to zero. Since the raw data length is non-zero, the code
handling LAGRQ and LAGRP frames tries to copy data from a NULL pointer,
causing a crash.

All users that have chan_iax2 enabled should upgrade to the appropriate
version listed in the corrected in section of this advisory.

CVE Information:


The information has been provided by <mailto:kpfleming@xxxxxxxxxx> Kevin
P. Fleming.
The original article can be found at:


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.