Asterisk Project Security Advisory - When forming an outgoing SIP request while in pedantic mode, a stack buffer can be made to overflow if supplied with carefully crafted caller ID information. This vulnerability also affects the URIENCODE dialplan function and in some versions of asterisk, the AGI dialplan application as well. The ast_uri_encode function does not properly respect the size of its output buffer and can write past the end of it when encoding URIs.
caddb62e55ea8e3118ad497b8c0c7b872b631262ea738692d4e6d87bdccb05d9 Asterisk Project Security Advisory - AST-2011-001
Product Asterisk
Summary Stack buffer overflow in SIP channel driver
Nature of Advisory Exploitable Stack Buffer Overflow
Susceptibility Remote Authenticated Sessions
Severity Moderate
Exploits Known No
Reported On January 11, 2011
Reported By Matthew Nicholson
Posted On January 18, 2011
Last Updated On January 18, 2011
Advisory Contact Matthew Nicholson <mnicholson@digium.com>
CVE Name
Description When forming an outgoing SIP request while in pedantic mode, a
stack buffer can be made to overflow if supplied with
carefully crafted caller ID information. This vulnerability
also affects the URIENCODE dialplan function and in some
versions of asterisk, the AGI dialplan application as well.
The ast_uri_encode function does not properly respect the size
of its output buffer and can write past the end of it when
encoding URIs.
Resolution The size of the output buffer passed to the ast_uri_encode
function is now properly respected.
In asterisk versions not containing the fix for this issue,
limiting strings originating from remote sources that will be
URI encoded to a length of 40 characters will protect against
this vulnerability.
exten => s,1,Set(CALLERID(num)=${CALLERID(num):0:40})
exten => s,n,Set(CALLERID(name)=${CALLERID(name):0:40})
exten => s,n,Dial(SIP/channel)
The CALLERID(num) and CALLERID(name) channel values, and any
strings passed to the URIENCODE dialplan function should be
limited in this manner.
Affected Versions
Product Release Series
Asterisk Open Source 1.2.x All versions
Asterisk Open Source 1.4.x All versions
Asterisk Open Source 1.6.x All versions
Asterisk Open Source 1.8.x All versions
Asterisk Business Edition C.x.x All versions
AsteriskNOW 1.5 All versions
s800i (Asterisk Appliance) 1.2.x All versions
Corrected In
Product Release
Asterisk Open Source 1.4.38.1, 1.4.39.1, 1.6.1.21, 1.6.2.15.1,
1.6.2.16.1, 1.8.1.2, 1.8.2.1
Asterisk Business Edition C.3.6.2
Patches
URL Branch
http://downloads.asterisk.org/pub/security/AST-2011-001-1.4.diff 1.4
http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.1.diff 1.6.1
http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.2.diff 1.6.2
http://downloads.asterisk.org/pub/security/AST-2011-001-1.8.diff 1.8
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2011-001.pdf and
http://downloads.digium.com/pub/security/AST-2011-001.html
Revision History
Date Editor Revisions Made
2011-01-18 Matthew Nicholson Initial Release
Asterisk Project Security Advisory - AST-2011-001
Copyright (c) 2011 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed