Asterisk Project Security Advisory - The Asterisk Skinny channel driver, chan_skinny, has a remotely exploitable crash vulnerability. A segfault can occur when Asterisk receives a packet where the claimed length of the data is between 0 and 3, followed by length + 4 or more bytes, due to an overly large memcpy. The side effects of this extremely large memcpy have not been investigated.
950ae078a58d7241a19dc7a251b19e77edd52fcfa03de8eed1f658bf4850424b
Asterisk Project Security Advisory - ASA-2007-016
+------------------------------------------------------------------------+
| Product | Asterisk |
|--------------------+---------------------------------------------------|
| Summary | Remote crash vulnerability in Skinny channel |
| | driver |
|--------------------+---------------------------------------------------|
| Nature of Advisory | Denial of Service |
|--------------------+---------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|--------------------+---------------------------------------------------|
| Severity | Critical |
|--------------------+---------------------------------------------------|
| Exploits Known | No |
|--------------------+---------------------------------------------------|
| Reported On | July 13, 2007 |
|--------------------+---------------------------------------------------|
| Reported By | Will Drewry, Google Security Team |
|--------------------+---------------------------------------------------|
| Posted On | July 17, 2007 |
|--------------------+---------------------------------------------------|
| Last Updated On | July 17, 2007 |
|--------------------+---------------------------------------------------|
| Advisory Contact | Jason Parker <jparker@digium.com> |
|--------------------+---------------------------------------------------|
| CVE Name | CVE-2007-3764 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | The Asterisk Skinny channel driver, chan_skinny, has a |
| | remotely exploitable crash vulnerability. A segfault can |
| | occur when Asterisk receives a packet where the claimed |
| | length of the data is between 0 and 3, followed by |
| | length + 4 or more bytes, due to an overly large memcpy. |
| | The side effects of this extremely large memcpy have not |
| | been investigated. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | All users that have chan_skinny enabled should upgrade to |
| | the appropriate version listed in the corrected in |
| | section of this advisory. As a workaround, users who do |
| | not require chan_skinny may add the line "noload => |
| | chan_skinny.so" (without quotes) to |
| | /etc/asterisk/modules.conf, and restart Asterisk. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.0.x | All versions |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.2.x | All versions prior to |
| | | 1.2.22 |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.8 |
|----------------------------------+-------------+-----------------------|
| Asterisk Business Edition | A.x.x | All versions |
|----------------------------------+-------------+-----------------------|
| Asterisk Business Edition | B.x.x | All versions prior to |
| | | B.2.2.1 |
|----------------------------------+-------------+-----------------------|
| AsteriskNOW | pre-release | All versions prior to |
| | | beta7 |
|----------------------------------+-------------+-----------------------|
| Asterisk Appliance Developer Kit | 0.x.x | All versions prior to |
| | | 0.5.0 |
|----------------------------------+-------------+-----------------------|
| s800i (Asterisk Appliance) | 1.0.x | All versions prior to |
| | | 1.0.2 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|--------------------+---------------------------------------------------|
| Asterisk Open | 1.2.22 and 1.4.8, available from |
| Source | ftp://ftp.digium.com/pub/telephony/asterisk |
|--------------------+---------------------------------------------------|
| Asterisk Business | B.2.2.1, available from the Asterisk Business |
| Edition | Edition user portal on http://www.digium.com or |
| | |
| | via Digium Technical Support |
|--------------------+---------------------------------------------------|
| AsteriskNOW | Beta7, available from |
| | http://www.asterisknow.org/. Beta5 and Beta6 |
| | users can update using the system update feature |
| | in the appliance control panel. |
|--------------------+---------------------------------------------------|
| Asterisk Appliance | 0.5.0, available from |
| Developer Kit | |
| | ftp://ftp.digium.com/pub/telephony/aadk/ |
|--------------------+---------------------------------------------------|
| s800i (Asterisk | 1.0.2 |
| Appliance) | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Links | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security. |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://ftp.digium.com/pub/asa/ASA-2007-016.pdf. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|-------------------+-------------------------+--------------------------|
| July 17, 2007 | jparker@digium.com | Initial Release |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - ASA-2007-016
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.