Posts Tagged CVE-2009-2726
Asterisk Security Advisory – AST-2009-005: Remote Crash Vulnerability in SIP channel driver
Posted by admin in asterisk, Asterisk Security Advisories, Security Advisories, sip on August 11, 2009
Asterisk The Open Source PBX & Telephony Platform
On certain implementations of libc, the scanf family of functions uses an unbounded amount of stack memory to repeatedly allocate string buffers prior to conversion to the target type. Coupled with Asterisk‘s allocation of thread stack sizes that are smaller than the default, an attacker may exhaust stack memory in the SIP stack network thread by presenting excessively long numeric strings in various fields.
Note that while this potential vulnerability has existed in Asterisk for a very long time, it is only potentially exploitable in 1.6.1 and above, since those versions are the first that have allowed SIP packets to exceed 1500 bytes total, which does not permit strings that are large enough to crash Asterisk. (The number strings presented to us by the security researcher were approximately 32,000 bytes long.)
Additionally note that while this can crash Asterisk, execution of arbitrary code is not possible with this vector.
Upgrade Asterisk to one of the releases listed below.
|
Product |
Asterisk |
|
Summary |
Remote Crash Vulnerability in SIP channel driver |
|
Nature of Advisory |
Denial of Service |
|
Susceptibility |
Remote Unauthenticated Sessions |
|
Severity |
Critical in 1.6.1; minor in lesser versions |
|
Exploits Known |
No |
|
Reported On |
July 28, 2009 |
|
Reported By |
Nick Baggott < nbaggott AT mudynamics DOT com > |
|
Posted On |
August 10, 2009 |
|
Last Updated On |
August 10, 2009 |
|
Advisory Contact |
Tilghman Lesher < tlesher AT digium DOT com > |
|
CVE Name |
CVE-2009-2726 |
