Thursday, July 19, 2007

[NEWS] Remote Crash Vulnerability in Asterisk's Skinny Channel Driver

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

Remote Crash Vulnerability in Asterisk's Skinny Channel Driver
------------------------------------------------------------------------


SUMMARY

A security vulnerability in Asterisk's Skinny protocol allows remote
attackers to cause the Asterisk server to crash by sending it a malformed
Skinny packet.

DETAILS

Vulnerable Systems:
* Asterisk Open Source versions prior to 1.4.8
* AsteriskNOW prerelease versions prior to beta7
* Asterisk Appliance Developer Kit versions prior to 0.5.0
* s800i (Asterisk Appliance) versions prior to 1.0.2

Immune Systems:
* Asterisk Open Source version 1.4.8
* AsteriskNOW Beta7
* Asterisk Appliance Developer Kit version 0.5.0
* s800i (Asterisk Appliance) version 1.0.2

The Asterisk Skinny channel driver, chan_skinny, has a remotely
exploitable crash vulnerability. A segfault can occur when Asterisk
receives a packet where the claimed length of the data is between 0 and 3,
followed by length + 4 or more bytes, due to an overly large memcpy. The
side effects of this extremely large memcpy have not been investigated.

Resolution:
All users that have chan_skinny enabled should upgrade to the appropriate
version listed in the corrected in section of this advisory. As a
workaround, users who do not require chan_skinny may add the line "noload
=> chan_skinny.so" (without quotes) to /etc/asterisk/modules.conf, and
restart Asterisk.


ADDITIONAL INFORMATION

The information has been provided by <mailto:jparker@digium.com> Jason
Parker.
The original article can be found at:
<http://ftp.digium.com/pub/asa/ASA-2007-016.pdf>

http://ftp.digium.com/pub/asa/ASA-2007-016.pdf

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

at

No comments:

Post a Comment