«
»

Asterisk Security Advisory – AST-2010-001: T.38 Remote Crash Vulnerability


Asterisk The Open Source PBX & Telephony Platform

Asterisk The Open Source PBX & Telephony Platform

Asterisk Project Security AdvisoryAST-2010-001

ProductAsterisk
SummaryT.38 Remote Crash Vulnerability
Nature of AdvisoryDenial of Service
SusceptibilityRemote unauthenticated sessions
SeverityCritical
Exploits KnownNo
Reported On12/03/09
Reported Byissues.asterisk.org users bklang and elsto
Posted On02/03/10
Last Updated OnFebruary 2, 2010
Advisory ContactDavid Vossel < dvossel AT digium DOT com >
CVE NameCVE-2010-0441

DescriptionAn attacker attempting to negotiate T.38 over SIP can remotely crash Asterisk by modifying the FaxMaxDatagram field of the SDP to contain either a negative or exceptionally large value. The same crash occurs when the FaxMaxDatagram field is omitted from the SDP as well.
ResolutionUpgrade to one of the versions of Asterisk listed in the “Corrected In” section, or apply a patch specified in the “Patches” section.
Affected Versions
ProductRelease Series
Asterisk Open Source1.6.xAll versions
Asterisk Business EditionC.3All versions
Corrected In
ProductRelease
Asterisk Open Source1.6.0.22
Asterisk Open Source1.6.1.14
Asterisk Open Source1.6.2.2
C.3.3.2
Patches
SVN URLBranch
http://downloads.asterisk.org/pub/security/AST-2010-001-1.6.0.diffv1.6.0
http://downloads.asterisk.org/pub/security/AST-2010-001-1.6.1.diffv1.6.1
http://downloads.asterisk.org/pub/security/AST-2010-001-1.6.2.diffv1.6.2
Linkshttps://issues.asterisk.org/view.php?id=16634

https://issues.asterisk.org/view.php?id=16724

https://issues.asterisk.org/view.php?id=16517

Asterisk Project Security Advisory are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/.pdf and http://downloads.digium.com/pub/security/.html

Revision History
DateEditorRevisions Made
02/02/10David VosselInitial release

Asterisk Project Security AdvisoryAST-2010-001

Share and Enjoy:
  • PDF
  • Print
  • email
  • RSS
  • Twitthis
  • Google Bookmarks
  • Twitter
  • Facebook
  • Digg
  • Technorati
  • MySpace
  • del.icio.us
  • LinkedIn
  • Slashdot
  • Reddit
  • Yahoo! Bookmarks
  • Live
  • MSN Reporter
  • Yahoo! Buzz
  • Ping.fm
  • Mixx
  • MyShare
  • SphereIt
  • Yigg
  • BlinkList
  • blogmarks
  • Blogosphere News
  • Current
  • Diigo
  • DZone
  • Fleck
  • FriendFeed
  • HelloTxt
  • Suggest to Techmeme via Twitter
  • ThisNext
  • Sphinn
  • BarraPunto
  • Bitacoras.com
  • BlogMemes Fr
  • BlogMemes Sp
  • blogtercimlap
  • co.mments
  • connotea
  • Design Float
  • DotNetKicks
  • eKudos
  • Fark
  • Faves
  • FSDaily
  • Global Grind
  • Gwar
  • HackerNews
  • Haohao
  • HealthRanker
  • Hemidemi
  • Hyves
  • Identi.ca
  • IndianPad
  • Internetmedia
  • Kirtsy
  • laaik.it
  • LinkaGoGo
  • LinkArena
  • Linkter
  • Meneame
  • MisterWong
  • MisterWong.DE
  • muti
  • N4G
  • Netvibes
  • Netvouz
  • NewsVine
  • NuJIJ
  • Posterous
  • ppnow
  • Propeller
  • Ratimarks
  • Rec6
  • Scoopeo
  • Segnalo
  • Simpy
  • Socialogs
  • StumbleUpon
  • Symbaloo
  • Tipd
  • Tumblr
  • Upnews
  • Webnews.de
  • Webride
  • Wikio
  • Wikio FR
  • Wikio IT
  • Wists
  • Wykop
  • Xerpi
  • 豆瓣
  • 豆瓣九点
  • Add to favorites
  • Blogplay
  • Diggita
  • LaTafanera
  • MOB
  • QQ书签
  • SheToldMe
  • viadeo FR

Related Posts

  1. Asterisk 1.6.0.22, Asterisk 1.6.1.14, Asterisk 1.6.2.2 Released
  2. Asterisk 1.6.0.11-rc2, 1.6.1.2, 1.6.1.3-rc1, and 1.6.2.0-beta4 Release Announcement
  3. Asterisk Security Advisory – AST-2009-005: Remote Crash Vulnerability in SIP channel driver
  4. Asterisk 1.4.29 Now Available
  5. Asterisk Security Advisory – AST-2009-004

, , , , , ,

This entry was posted on February 3, 2010, 1:40 am and is filed under Asterisk Security Advisories, Security Advisories, asterisk, sip, t.38. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

  1. No comments yet.

You must be logged in to post a comment.