SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (VoIP)  >   Asterisk Vendors:   Digium (Linux Support Services)
Asterisk Heap Overflow in Skinny Channel Driver Lets Remote Authenticated Users Execute Arbitrary Code
SecurityTracker Alert ID:  1026962
SecurityTracker URL:  http://securitytracker.com/id/1026962
CVE Reference:   CVE-2012-2415   (Links to External Site)
Updated:  Apr 23 2012
Original Entry Date:  Apr 23 2012
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.6.2.x, 1.8.x, 10.x
Description:   A vulnerability was reported in Asterisk. A remote authenticated user can execute arbitrary code on the target system.

A remote authenticated user can send specially crafted KEYPAD_BUTTON_MESSAGE event data to trigger a heap overflow in the Skinny Channel Driver and execute arbitrary code on the target system. The code will run with the privileges of the target service.

Russell Bryant reported this vulnerability.

The vendor was notified on March 26, 2012.
Impact:   A remote authenticated user can execute arbitrary code on the target system.
Solution:   The vendor has issued a fix (1.6.2.24, 1.8.11.1, 10.3.1).

The vendor's advisory is available at:

http://downloads.asterisk.org/pub/security/AST-2012-005.html
Vendor URL:  downloads.asterisk.org/pub/security/AST-2012-005.html (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents
Date:  Mon, 23 Apr 2012 13:25:29 -0500
Subject:  AST-2012-005: Heap Buffer Overflow in Skinny Channel Driver

               Asterisk Project Security Advisory - AST-2012-005

          Product         Asterisk                                            
          Summary         Heap Buffer Overflow in Skinny Channel Driver       
     Nature of Advisory   Exploitable Heap Buffer Overflow                    
       Susceptibility     Remote Authenticated Sessions                       
          Severity        Minor                                               
       Exploits Known     No                                                  
        Reported On       March 26, 2012                                      
        Reported By       Russell Bryant                                      
         Posted On        April 23, 2012                                      
      Last Updated On     April 23, 2012                                      
      Advisory Contact    Matt Jordan < mjordan AT digium DOT com >           
          CVE Name        

    Description  In the Skinny channel driver, KEYPAD_BUTTON_MESSAGE events   
                 are queued for processing in a buffer allocated on the       
                 heap, where each DTMF value that is received is placed on    
                 the end of the buffer. Since the length of the buffer is     
                 never checked, an attacker could send sufficient             
                 KEYPAD_BUTTON_MESSAGE events such that the buffer is         
                 overrun.                                                     

    Resolution  The length of the buffer is now checked before appending a    
                value to the end of the buffer.                               

                               Affected Versions
                Product              Release Series  
         Asterisk Open Source           1.6.2.x      All Versions             
         Asterisk Open Source            1.8.x       All Versions             
         Asterisk Open Source             10.x       All Versions             

                                  Corrected In
                Product                              Release                  
          Asterisk Open Source              1.6.2.24, 1.8.11.1, 10.3.1        

                                     Patches                          
                                SVN URL                               Revision 
   http://downloads.asterisk.org/pub/security/AST-2012-005-1.6.2.diff v1.6.2   
   http://downloads.asterisk.org/pub/security/AST-2012-005-1.8.diff   v1.8     
   http://downloads.asterisk.org/pub/security/AST-2012-005-10.diff    v10      

       Links     https://issues.asterisk.org/jira/browse/ASTERISK-19592       

    Asterisk Project Security Advisories are posted at                        
    http://www.asterisk.org/security                                          
                                                                              
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    http://downloads.digium.com/pub/security/AST-2012-005.pdf and             
    http://downloads.digium.com/pub/security/AST-2012-005.html                

                                Revision History
          Date                  Editor                 Revisions Made         
    04/16/2012         Matt Jordan               Initial Release              

               Asterisk Project Security Advisory - AST-2012-005
              Copyright (c) 2012 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC