==================================================================== CERT-Renater Note d'Information No. 2012/VULN131 ____________________________________________________________________ DATE : 16/03/2012 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Systems running Asterisk Open Source versions 1.4.x, 1.6.2.x, 1.8.x, 10.x. ====================================================================== http://downloads.asterisk.org/pub/security/AST-2012-002.html http://downloads.asterisk.org/pub/security/AST-2012-003.txt ______________________________________________________________________ Asterisk Project Security Advisory - AST-2012-002 Product Asterisk Summary Remote Crash Vulnerability in Milliwatt Application Nature of Advisory Exploitable Stack Buffer Overflow with locally defined data Susceptibility Remote Unauthenticated Sessions Severity Minor Exploits Known No Reported On 03/14/2012 Reported By Russell Bryant Posted On 03/15/2012 Last Updated On March 15, 2012 Advisory Contact Matt Jordan CVE Name Description An attacker can cause Asterisk to crash in one of two ways: 1. A dialplan uses the Milliwatt application with 'o' option 2. The internal_timing opion in asterisk.conf is off 3. The attacker sends a large audio packet. The number of samples in the audio packet determines the number of internal data samples that are copied into the buffer. This overruns the buffer, potentially causing a crash. OR 1. A diaplan uses the Milliwatt application with the 'o' option 2. The attacker negotiates a media format with a sampling rate greater than 32kHz. The application will attempt to generate an audio packet using the sample rate of the negotiated format, where the sample rate will require a number of data points greater then the size of the buffer. Again, the the application copies a number of internal data samples into the buffer that are greater then the size of the buffer, potentially causing a crash. Note that the latter attack vector is only possible in Asterisk 10, as it supports codecs with a sample rate greater then 32kHz. Resolution Upgrade to one of the versions of Asterisk listed in the "Corrected In" section, or apply a patch specified in the "Patches" section. Affected Versions Product Release Series Asterisk Open Source 1.4.x All Versions Asterisk Open Source 1.6.2.x All Versions Asterisk Open Source 1.8.x All Versions Asterisk Open Source 10.x All Versions Corrected In Product Release Asterisk Open Source 1.4.44 Asterisk Open Source 1.6.2.23 Asterisk Open Source 1.8.10.1 Asterisk Open Source 10.2.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-002-1.4.diff v1.4 http://downloads.asterisk.org/pub/security/AST-2012-002-1.6.2.diff v1.6.2 http://downloads.asterisk.org/pub/security/AST-2012-002-1.8.diff v1.8 http://downloads.asterisk.org/pub/security/AST-2012-002-10.diff v10 Links https://issues.asterisk.org/jira/browse/ASTERISK-19541 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/.pdf and http://downloads.digium.com/pub/security/.html Revision History Date Editor Revisions Made 03/15/2012 Matt Jordan Initial Release Asterisk Project Security Advisory - AST-2012-002 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. ______________________________________________________________________________ Asterisk Project Security Advisory - AST-2012-003 Product Asterisk Summary Stack Buffer Overflow in HTTP Manager Nature of Advisory Exploitable Stack Buffer Overflow Susceptibility Remote Unauthenticated Sessions Severity Critical Exploits Known No Reported On 03/15/2012 Reported By Russell Bryant Posted On 03/15/2012 Last Updated On March 15, 2012 Advisory Contact Matt Jordan < mjordan AT digium DOT com > CVE Name Description An attacker attempting to connect to an HTTP session of the Asterisk Manager Interface can send an arbitrarily long string value for HTTP Digest Authentication. This causes a stack buffer overflow, with the possibility of remote code injection. Resolution Upgrade to one of the versions of Asterisk listed in the "Corrected In" section, or apply a patch specified in the "Patches" section. Affected Versions Product Release Series Asterisk Open Source 1.8.x All versions Asterisk Open Source 10.x All versions Corrected In Product Release Asterisk Open Source 1.8.10.1 Asterisk Open Source 10.2.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-003-1.8.diff v1.8 http://downloads.asterisk.org/pub/security/AST-2012-003-10.diff v10 Links https://issues.asterisk.org/jira/browse/ASTERISK-19542 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/.pdf and http://downloads.digium.com/pub/security/.html Revision History Date Editor Revisions Made 03-15-2012 Matt Jordan Initial release Asterisk Project Security Advisory - AST-2012-003 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater https://services.renater.fr/ssi/ http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================