Full Disclosure: Re: AST-2010-001: T.38 Remote Crash Vulnerability

Re: AST-2010-001: T.38 Remote Crash Vulnerability

From: Jeff Williams <jeffwillis30 () gmail com>
Date: Wed, 3 Feb 2010 10:12:49 +1100

You deserve a pwnie award for the worst advisory template.

2010/2/3 Asterisk Security Team <security () asterisk org>

              Asterisk Project Security Advisory - AST-2010-001


+------------------------------------------------------------------------+
  |       Product        | Asterisk
 |

|----------------------+-------------------------------------------------|
  |       Summary        | T.38 Remote Crash Vulnerability
|

|----------------------+-------------------------------------------------|
  |  Nature of Advisory  | Denial of Service
|

|----------------------+-------------------------------------------------|
  |    Susceptibility    | Remote unauthenticated sessions
|

|----------------------+-------------------------------------------------|
  |       Severity       | Critical
 |

|----------------------+-------------------------------------------------|
  |    Exploits Known    | No
 |

|----------------------+-------------------------------------------------|
  |     Reported On      | 12/03/09
 |

|----------------------+-------------------------------------------------|
  |     Reported By      | issues.asterisk.org users bklang and elsto
 |

|----------------------+-------------------------------------------------|
  |      Posted On       | 02/03/10
 |

|----------------------+-------------------------------------------------|
  |   Last Updated On    | February 2, 2010
 |

|----------------------+-------------------------------------------------|
  |   Advisory Contact   | David Vossel < dvossel AT digium DOT com >
 |

|----------------------+-------------------------------------------------|
  |       CVE Name       | CVE-2010-0441
|

+------------------------------------------------------------------------+


+------------------------------------------------------------------------+
  | Description | An attacker attempting to negotiate T.38 over SIP can
 |
  |             | remotely crash Asterisk by modifying the FaxMaxDatagram
 |
  |             | field of the SDP to contain either a negative or
|
  |             | exceptionally large value. The same crash occurs when
 |
  |             | the FaxMaxDatagram field is omitted from the SDP as
 |
  |             | well.
 |

+------------------------------------------------------------------------+


+------------------------------------------------------------------------+
  | Resolution | Upgrade to one of the versions of Asterisk listed in the
 |
  |            | "Corrected In" section, or apply a patch specified in the
|
  |            | "Patches" section.
 |

+------------------------------------------------------------------------+


+------------------------------------------------------------------------+
  |                           Affected Versions
 |

|------------------------------------------------------------------------|
  |             Product              | Release Series |
 |

|----------------------------------+----------------+--------------------|
  |       Asterisk Open Source       |     1.6.x      | All versions
|

|----------------------------------+----------------+--------------------|
  |    Asterisk Business Edition     |      C.3       | All versions
|

+------------------------------------------------------------------------+


+------------------------------------------------------------------------+
  |                              Corrected In
 |

|------------------------------------------------------------------------|
  |                 Product                  |           Release
|

|------------------------------------------+-----------------------------|
  |           Asterisk Open Source           |          1.6.0.22
|

|------------------------------------------+-----------------------------|
  |           Asterisk Open Source           |          1.6.1.14
|

|------------------------------------------+-----------------------------|
  |           Asterisk Open Source           |           1.6.2.2
|

|------------------------------------------+-----------------------------|
  |                                          |           C.3.3.2
|

+------------------------------------------------------------------------+


+-------------------------------------------------------------------------+
  |                                 Patches
|

|-------------------------------------------------------------------------|
  |                             SVN URL
 |Branch|

|------------------------------------------------------------------+------|
  |
http://downloads.asterisk.org/pub/security/AST-2010-001-1.6.0.diff|v1.6.0|<http://downloads.asterisk.org/pub/security/AST-2010-001-1.6.0.diff%7Cv1.6.0%7C>

|------------------------------------------------------------------+------|
  |
http://downloads.asterisk.org/pub/security/AST-2010-001-1.6.1.diff|v1.6.1|<http://downloads.asterisk.org/pub/security/AST-2010-001-1.6.1.diff%7Cv1.6.1%7C>

|------------------------------------------------------------------+------|
  |
http://downloads.asterisk.org/pub/security/AST-2010-001-1.6.2.diff|v1.6.2|<http://downloads.asterisk.org/pub/security/AST-2010-001-1.6.2.diff%7Cv1.6.2%7C>

+-------------------------------------------------------------------------+


+------------------------------------------------------------------------+
  |     Links      | https://issues.asterisk.org/view.php?id=16634
|
  |                |
|
  |                | https://issues.asterisk.org/view.php?id=16724
|
  |                |
|
  |                | https://issues.asterisk.org/view.php?id=16517
|

+------------------------------------------------------------------------+


+------------------------------------------------------------------------+
  | Asterisk Project Security Advisories are posted at
|
  | http://www.asterisk.org/security
|
  |
 |
  | This document may be superseded by later versions; if so, the latest
|
  | version will be posted at
 |
  | http://downloads.digium.com/pub/security/.pdf and
 |
  | http://downloads.digium.com/pub/security/.html
|

+------------------------------------------------------------------------+


+------------------------------------------------------------------------+
  |                            Revision History
 |

|------------------------------------------------------------------------|
  |      Date      |        Editor        |         Revisions Made
|

|----------------+----------------------+--------------------------------|
  | 02/02/10       | David Vossel         | Initial release
 |

+------------------------------------------------------------------------+

              Asterisk Project Security Advisory - AST-2010-001
             Copyright (c) 2010 Digium, Inc. All Rights Reserved.
 Permission is hereby granted to distribute and publish this advisory in
its
                          original, unaltered form.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

AST-2010-001: T.38 Remote Crash Vulnerability Asterisk Security Team (Feb 02)
- Re: AST-2010-001: T.38 Remote Crash Vulnerability Jeff Williams (Feb 02)