Full Disclosure mailing list archives
ASA-2007-013: IAX2 users can cause unauthorized data disclosure
From: "Kevin P. Fleming" <kpfleming () digium com>
Date: Fri, 04 May 2007 11:20:02 -0500
Asterisk Project Security Advisory - ASA-2007-013 +----------------------------------------------------------------------------------+ | Product | Asterisk | |----------------------+-----------------------------------------------------------| | Summary | IAX2 users can cause unauthorized data disclosure | |----------------------+-----------------------------------------------------------| | Nature of Advisory | Unauthorized information disclosure | |----------------------+-----------------------------------------------------------| | Susceptibility | Remote authenticated sessions | |----------------------+-----------------------------------------------------------| | Severity | Low | |----------------------+-----------------------------------------------------------| | Exploits Known | No | |----------------------+-----------------------------------------------------------| | Reported On | April 27, 2007 | |----------------------+-----------------------------------------------------------| | Reported By | Tim Panton, Mexuar, <tim () mexuar com> | | | | | | Birgit Arkesteijn, Westhawk, <birgit () westhawk co uk> | |----------------------+-----------------------------------------------------------| | Posted On | May 4, 2007 | |----------------------+-----------------------------------------------------------| | Last Updated On | May 4, 2007 | |----------------------+-----------------------------------------------------------| | Advisory Contact | kpfleming () digium com | |----------------------+-----------------------------------------------------------| | CVE Name | CVE-2007-2488 | +----------------------------------------------------------------------------------+ +----------------------------------------------------------------------------------+ | Description | > From: Tim Panton <tim () mexuar com> | | | | | | > Date: 27 April 2007 08:02:36 BDT | | | | | | > To: "Kevin P. Fleming" <kpfleming () digium com> | | | | | | > Subject: Possible IAX2 vulnerability (Minor) | | | | | | > | | | | | | > We've stumbled on a bug in the way Asterisk's IAX2 handles text | | | | | | > frames. | | | | | | > I'm emailing you because it is a borderline security | | | vulnerability, | | | | | | > and my | | | | | | > friends in the security world tell me that I should notify the | | | | | | > vendor privately | | | | | | > first. If you feel it isn't a security issue, let me know and | | | I'll | | | | | | > put it in mantis. | | | | | | > | | | | | | > chan_iax2 assumes that the content of a text frame is a null | | | | | | > terminated | | | | | | > string (C style), and when time comes to forward the string it | | | uses | | | | | | > strlen | | | | | | > to determine the message length. | | | | | | > | | | | | | > If you send a frame without a 0 byte in it, Asterisk forwards a | | | | | | > frame that | | | | | | > includes the sent data and some extra (presumably heap) data. | | | | | | > | | | | | | > If an attacker were lucky, the extra data could contain | | | something | | | | | | > interesting. | | | | | | > Or conceivably it could cause a segmentation violation. | +----------------------------------------------------------------------------------+ +----------------------------------------------------------------------------------+ | Resolution | Asterisk code has been modified to enforce null-termination of | | | incoming text frames received by the IAX2 channel driver | | | (chan_iax2). When text frames are received without | | | null-termination, this may result in the last byte of data in the | | | frame being lost, if the IAX2 reception process does not have space | | | in its receive buffer to add a null character. | | | | | | As this vulnerability is of 'low' severity, it does not justify new | | | releases of Asterisk solely for mitigating its impact. The fix for | | | this vulnerability has been committed to the Asterisk Subversion | | | source code repositories and is available to all users who wish to | | | upgrade to a prerelease checkout of the respective development | | | branch for their release series of Asterisk. All other users can | | | upgrade when the next regularly scheduled release of their product | | | is produced. | +----------------------------------------------------------------------------------+ +----------------------------------------------------------------------------------+ | Affected Versions | |----------------------------------------------------------------------------------| | Product | Release | | | | Series | | |----------------------------------+-------------+---------------------------------| | Asterisk Open Source | 1.0.x | has not been evaluated as this | | | | release series is no longer | | | | maintained | |----------------------------------+-------------+---------------------------------| | Asterisk Open Source | 1.2.x | all releases prior to 1.2.19 | |----------------------------------+-------------+---------------------------------| | Asterisk Open Source | 1.4.x | all releases prior to 1.4.4 | |----------------------------------+-------------+---------------------------------| | Asterisk Business Edition | A.x.x | all releases | |----------------------------------+-------------+---------------------------------| | Asterisk Business Edition | B.x.x | all releases prior to B.2.1 | |----------------------------------+-------------+---------------------------------| | AsteriskNOW | pre-release | all releases prior to and | | | | including Beta 5 | |----------------------------------+-------------+---------------------------------| | Asterisk Appliance Developer Kit | 0.x.x | all releases prior to 0.4.1 | +----------------------------------------------------------------------------------+ +----------------------------------------------------------------------------------+ | Corrected In | |----------------------------------------------------------------------------------| | Product | Release | |----------------------+-----------------------------------------------------------| | Asterisk Open Source | 1.2.19 and 1.4.4 will be available from | | | ftp://ftp.digium.com/pub/telephony/asterisk when released | |----------------------+-----------------------------------------------------------| | Asterisk Business | B.2.1, will be available from the Asterisk Business | | Edition | Edition user portal on http://www.digium.com or via | | | Digium Technical Support when released | |----------------------+-----------------------------------------------------------| | AsteriskNOW | Beta 6, when available from http://www.asterisknow.org, | | | Beta 5 users can use 'System Update' in the appliance | | | control panel to update their version of AsteriskNOW when | | | Asterisk 1.4.4 has been released | |----------------------+-----------------------------------------------------------| | Asterisk Appliance | 0.4.1, will be available from | | Developer Kit | ftp://ftp.digium.com/pub/telephony/aadk when released | +----------------------------------------------------------------------------------+ +----------------------------------------------------------------------------------+ | Links | http://bugs.digium.com/view.php?id=9638 | +----------------------------------------------------------------------------------+ +----------------------------------------------------------------------------------+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security. | | | | This document may be superseded by later versions; if so, the latest version | | will be posted at http://ftp.digium.com/pub/asa/ASA-2007-013.pdf. | +----------------------------------------------------------------------------------+ +----------------------------------------------------------------------------------+ | Revision History | |----------------------------------------------------------------------------------| | Date | Editor | Revisions Made | |-------------------+-----------------------------+--------------------------------| | May 4, 2007 | kpfleming () digium com | initial release | +----------------------------------------------------------------------------------+ Asterisk Project Security Advisory - ASA-2007-013 Copyright (c) 2007 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- ASA-2007-013: IAX2 users can cause unauthorized data disclosure Kevin P. Fleming (May 04)