«
»

Asterisk Security Advisory – AST-2010-001: T.38 Remote Crash Vulnerability


Asterisk The Open Source PBX & Telephony Platform

Asterisk The Open Source PBX & Telephony Platform

Asterisk Project Security AdvisoryAST-2010-001

Product Asterisk
Summary T.38 Remote Crash Vulnerability
Nature of Advisory Denial of Service
Susceptibility Remote unauthenticated sessions
Severity Critical
Exploits Known No
Reported On 12/03/09
Reported By issues.asterisk.org users bklang and elsto
Posted On 02/03/10
Last Updated On February 2, 2010
Advisory Contact David Vossel < dvossel AT digium DOT com >
CVE Name CVE-2010-0441

Description An attacker attempting to negotiate T.38 over SIP can remotely crash Asterisk by modifying the FaxMaxDatagram field of the SDP to contain either a negative or exceptionally large value. The same crash occurs when the FaxMaxDatagram field is omitted from the SDP as well.
Resolution Upgrade to one of the versions of Asterisk listed in the “Corrected In” section, or apply a patch specified in the “Patches” section.
Affected Versions
Product Release Series
Asterisk Open Source 1.6.x All versions
Asterisk Business Edition C.3 All versions
Corrected In
Product Release
Asterisk Open Source 1.6.0.22
Asterisk Open Source 1.6.1.14
Asterisk Open Source 1.6.2.2
C.3.3.2
Patches
SVN URL Branch
http://downloads.asterisk.org/pub/security/AST-2010-001-1.6.0.diff v1.6.0
http://downloads.asterisk.org/pub/security/AST-2010-001-1.6.1.diff v1.6.1
http://downloads.asterisk.org/pub/security/AST-2010-001-1.6.2.diff v1.6.2
Links https://issues.asterisk.org/view.php?id=16634

https://issues.asterisk.org/view.php?id=16724

https://issues.asterisk.org/view.php?id=16517
Asterisk Project Security Advisory are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/.pdf and http://downloads.digium.com/pub/security/.html
Revision History
Date Editor Revisions Made
02/02/10 David Vossel Initial release

Asterisk Project Security AdvisoryAST-2010-001

Share and Enjoy:
  • PDF
  • Print
  • email
  • RSS
  • Twitthis
  • Google Bookmarks
  • Twitter
  • Facebook
  • Digg
  • Technorati
  • MySpace
  • del.icio.us
  • LinkedIn
  • Slashdot
  • Reddit
  • Yahoo! Bookmarks
  • Live
  • MSN Reporter
  • Yahoo! Buzz
  • Ping.fm
  • Mixx
  • MyShare
  • SphereIt
  • Yigg
  • BlinkList
  • blogmarks
  • Blogosphere News
  • Current
  • Diigo
  • DZone
  • Fleck
  • FriendFeed
  • HelloTxt
  • Suggest to Techmeme via Twitter
  • ThisNext
  • Sphinn
  • BarraPunto
  • Bitacoras.com
  • BlogMemes Fr
  • BlogMemes Sp
  • blogtercimlap
  • co.mments
  • connotea
  • Design Float
  • DotNetKicks
  • eKudos
  • Fark
  • Faves
  • FSDaily
  • Global Grind
  • Gwar
  • HackerNews
  • Haohao
  • HealthRanker
  • Hemidemi
  • Hyves
  • Identi.ca
  • IndianPad
  • Internetmedia
  • Kirtsy
  • laaik.it
  • LinkaGoGo
  • LinkArena
  • Linkter
  • Meneame
  • MisterWong
  • MisterWong.DE
  • muti
  • N4G
  • Netvibes
  • Netvouz
  • NewsVine
  • NuJIJ
  • Posterous
  • ppnow
  • Propeller
  • Ratimarks
  • Rec6
  • Scoopeo
  • Segnalo
  • Simpy
  • Socialogs
  • StumbleUpon
  • Symbaloo
  • Tipd
  • Tumblr
  • Upnews
  • Webnews.de
  • Webride
  • Wikio
  • Wikio FR
  • Wikio IT
  • Wists
  • Wykop
  • Xerpi
  • 豆瓣
  • 豆瓣九点
  • Add to favorites
  • Blogplay
  • Diggita
  • LaTafanera
  • MOB
  • QQ书签
  • SheToldMe
  • viadeo FR

Related Posts

  1. Asterisk Security Advisory – AST-2009-005: Remote Crash Vulnerability in SIP channel driver
  2. Asterisk Security Advisories – AST-2011-012: Remote crash vulnerability in SIP channel driver
  3. Asterisk Security Advisories – AST-2011-014: Remote crash possibility with SIP and the “automon” feature enabled
  4. Asterisk Security Advisory – AST-2011-002: Multiple array overflow and crash vulnerabilities in UDPTL code
  5. Asterisk 1.6.0.22, Asterisk 1.6.1.14, Asterisk 1.6.2.2 Released

, , , , , ,

This entry was posted on February 3, 2010, 1:40 am and is filed under asterisk, Asterisk Security Advisories, Security Advisories, sip, t.38. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

  1. No comments yet.

You must be logged in to post a comment.