Asterisk Project Security Advisory - AST-2009-010
±-----------------------------------------------------------------------+
| Product | Asterisk |
|----------------------±------------------------------------------------|
| Summary | RTP Remote Crash Vulnerability |
|----------------------±------------------------------------------------|
| Nature of Advisory | Denial of Service |
|----------------------±------------------------------------------------|
| Susceptibility | Remote unauthenticated sessions |
|----------------------±------------------------------------------------|
| Severity | Critical |
|----------------------±------------------------------------------------|
| Exploits Known | No |
|----------------------±------------------------------------------------|
| Reported On | November 13, 2009 |
|----------------------±------------------------------------------------|
| Reported By | issues.asterisk.org user amorsen |
|----------------------±------------------------------------------------|
| Posted On | November 30, 2009 |
|----------------------±------------------------------------------------|
| Last Updated On | November 30, 2009 |
|----------------------±------------------------------------------------|
| Advisory Contact | David Vossel < dvossel AT digium DOT com > |
|----------------------±------------------------------------------------|
| CVE Name | CVE-2009-4055 |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
| Description | An attacker sending a valid RTP comfort noise payload |
| | containing a data length of 24 bytes or greater can |
| | remotely crash Asterisk. |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
| Resolution | Upgrade to one of the versions of Asterisk listed in the |
| | "Corrected In" section, or apply a patch specified in the |
| | "Patches" section. |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
Affected Versions |
---|
Product |
----------------------------------±---------------±------------------- |
Asterisk Open Source |
----------------------------------±---------------±------------------- |
Asterisk Open Source |
----------------------------------±---------------±------------------- |
Asterisk Open Source |
----------------------------------±---------------±------------------- |
Asterisk Business Edition |
----------------------------------±---------------±------------------- |
Asterisk Business Edition |
----------------------------------±---------------±------------------- |
s800i (Asterisk Appliance) |
±-----------------------------------------------------------------------+ |
±-----------------------------------------------------------------------+
Corrected In |
---|
Product |
---------------------------------------------±------------------------- |
Asterisk Open Source |
---------------------------------------------±------------------------- |
Asterisk Open Source |
---------------------------------------------±------------------------- |
Asterisk Open Source |
---------------------------------------------±------------------------- |
Asterisk Open Source |
---------------------------------------------±------------------------- |
Asterisk Business Edition |
---------------------------------------------±------------------------- |
Asterisk Business Edition |
---------------------------------------------±------------------------- |
Asterisk Business Edition |
---------------------------------------------±------------------------- |
S800i (Asterisk Appliance) |
±-----------------------------------------------------------------------+ |
±----------------------------------------------------------------------------+
Patches |
---|
Link |
----------------------------------------------------------------------±----- |
http://downloads.asterisk.org/pub/security/AST-2009-010-1.2.diff.txt |
----------------------------------------------------------------------±----- |
http://downloads.asterisk.org/pub/security/AST-2009-010-1.4.diff.txt |
----------------------------------------------------------------------±----- |
http://downloads.asterisk.org/pub/security/AST-2009-010-1.6.0.diff.txt |
----------------------------------------------------------------------±----- |
http://downloads.asterisk.org/pub/security/AST-2009-010-1.6.1.diff.txt |
±----------------------------------------------------------------------------+ |
±-----------------------------------------------------------------------+
| Links | https://issues.asterisk.org/view.php?id=16242 |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2009-010.pdf and |
| http://downloads.digium.com/pub/security/AST-2009-010.html |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
Revision History |
---|
Date |
------------------±--------------------±------------------------------ |
2009-09-03 |
±-----------------------------------------------------------------------+ |
Asterisk Project Security Advisory - AST-2009-010
Copyright (c) 2009 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.