Asterisk Project Security Advisory - AST-2008-002
Β±-----------------------------------------------------------------------+
| Product | Asterisk |
|--------------------Β±--------------------------------------------------|
| Summary | Two buffer overflows in RTP Codec Payload |
| | Handling |
|--------------------Β±--------------------------------------------------|
| Nature of Advisory | Exploitable Buffer Overflow |
|--------------------Β±--------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|--------------------Β±--------------------------------------------------|
| Severity | Critical |
|--------------------Β±--------------------------------------------------|
| Exploits Known | No |
|--------------------Β±--------------------------------------------------|
| Reported On | March 11, 2008 |
|--------------------Β±--------------------------------------------------|
| Reported By | Mu Security Research Team |
|--------------------Β±--------------------------------------------------|
| Posted On | March 18, 2008 |
|--------------------Β±--------------------------------------------------|
| Last Updated On | March 18, 2008 |
|--------------------Β±--------------------------------------------------|
| Advisory Contact | Joshua Colp <[email protected]> |
|--------------------Β±--------------------------------------------------|
| CVE Name | CVE-2008-1289 |
Β±-----------------------------------------------------------------------+
Β±-----------------------------------------------------------------------+
| Description | Two buffer overflows exist in the RTP payload handling |
| | code of Asterisk. Both overflows can be caused by an |
| | INVITE or any other SIP packet with SDP. The request may |
| | need to be authenticated depending on configuration of |
| | the Asterisk installation. |
| | |
| | The first overflow is caused by sending a payload number |
| | that surpasses the programmed maximum payload number of |
| | 256. This causes an invalid memory write outside of the |
| | buffer. While this does not allow the attacker to write |
| | arbitrary data it does allow the attacker to write a 0 |
| | to other memory locations. |
| | |
| | The second overflow is caused by sending more than 32 |
| | RTP payloads. This causes a buffer on the stack to |
| | overflow allowing the attacker to write values between 0 |
| | and 256 (the maximum payload number) to memory locations |
| | after the buffer. |
Β±-----------------------------------------------------------------------+
Β±-----------------------------------------------------------------------+
| Resolution | Two fixes have been added to check the provided data to |
| | ensure it does not exceed static buffer sizes. |
| | |
| | When removing internal information regarding an RTP |
| | payload the given payload number will now be checked to |
| | make sure it does not exceed the maximum acceptable |
| | payload number. |
| | |
| | When reading RTP payloads from SDP a maximum limit of 32 |
| | in total will be enforced. Any further RTP payloads will |
| | be discarded. |
Β±-----------------------------------------------------------------------+
Β±-----------------------------------------------------------------------+
Affected Versions |
---|
Product |
----------------------------Β±--------Β±-------------------------------- |
Asterisk Open Source |
----------------------------Β±--------Β±-------------------------------- |
Asterisk Open Source |
----------------------------Β±--------Β±-------------------------------- |
Asterisk Open Source |
----------------------------Β±--------Β±-------------------------------- |
Asterisk Open Source |
----------------------------Β±--------Β±-------------------------------- |
Asterisk Business Edition |
----------------------------Β±--------Β±-------------------------------- |
Asterisk Business Edition |
----------------------------Β±--------Β±-------------------------------- |
Asterisk Business Edition |
----------------------------Β±--------Β±-------------------------------- |
AsteriskNOW |
----------------------------Β±--------Β±-------------------------------- |
Asterisk Appliance |
Developer Kit |
----------------------------Β±--------Β±-------------------------------- |
s800i (Asterisk Appliance) |
Β±-----------------------------------------------------------------------+ |
Β±-----------------------------------------------------------------------+
Corrected In |
---|
Product |
---------------Β±------------------------------------------------------- |
Asterisk Open |
Source |
---------------Β±------------------------------------------------------- |
Asterisk |
Business |
Edition |
---------------Β±------------------------------------------------------- |
AsteriskNOW |
---------------Β±------------------------------------------------------- |
Asterisk |
Appliance |
Developer Kit |
---------------Β±------------------------------------------------------- |
s800i |
(Asterisk |
Appliance) |
Β±-----------------------------------------------------------------------+ |
Β±-----------------------------------------------------------------------+
| Links | |
Β±-----------------------------------------------------------------------+
Β±-----------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2008-002.pdf and |
| http://downloads.digium.com/pub/security/AST-2008-002.html |
Β±-----------------------------------------------------------------------+
Β±-----------------------------------------------------------------------+
Revision History |
---|
Date |
------------------Β±-------------------Β±------------------------------- |
2008-03-18 |
Β±-----------------------------------------------------------------------+ |
Asterisk Project Security Advisory - AST-2008-002
Copyright (c) 2008 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.