Back to news

ASA-2007-013: IAX2 users can cause unauthorized data disclosure

#
Author: Matt Riddell
Daily Asterisk News
Ask Question

                  Asterisk Project Security Advisory - ASA-2007-013

 +----------------------------------------------------------------------------------+
 |       Product        | Asterisk                                                  |
 |----------------------+-----------------------------------------------------------|
 |       Summary        | IAX2 users can cause unauthorized data disclosure         |
 |----------------------+-----------------------------------------------------------|
 |  Nature of Advisory  | Unauthorized information disclosure                       |
 |----------------------+-----------------------------------------------------------|
 |    Susceptibility    | Remote authenticated sessions                             |
 |----------------------+-----------------------------------------------------------|
 |       Severity       | Low                                                       |
 |----------------------+-----------------------------------------------------------|
 |    Exploits Known    | No                                                        |
 |----------------------+-----------------------------------------------------------|
 |     Reported On      | April 27, 2007                                            |
 |----------------------+-----------------------------------------------------------|
 |     Reported By      | Tim Panton, Mexuar,                                       |
 |                      |                                                           |
 |                      | Birgit Arkesteijn, Westhawk,                              |
 |----------------------+-----------------------------------------------------------|
 |      Posted On       | May 4, 2007                                               |
 |----------------------+-----------------------------------------------------------|
 |   Last Updated On    | May 4, 2007                                               |
 |----------------------+-----------------------------------------------------------|
 |   Advisory Contact   | kpfleming@digium.com                                      |
 |----------------------+-----------------------------------------------------------|
 |       CVE Name       | CVE-2007-2488                                             |
 +----------------------------------------------------------------------------------+

 +----------------------------------------------------------------------------------+
 | Description | > From: Tim Panton                                                 |
 |             |                                                                    |
 |             | > Date: 27 April 2007 08:02:36 BDT                                 |
 |             |                                                                    |
 |             | > To: "Kevin P. Fleming"                                           |
 |             |                                                                    |
 |             | > Subject: Possible IAX2 vulnerability (Minor)                     |
 |             |                                                                    |
 |             | >                                                                  |
 |             |                                                                    |
 |             | > We've stumbled on a bug in the way Asterisk's IAX2 handles text  |
 |             |                                                                    |
 |             | > frames.                                                          |
 |             |                                                                    |
 |             | > I'm emailing you because it is a borderline security             |
 |             | vulnerability,                                                     |
 |             |                                                                    |
 |             | > and my                                                           |
 |             |                                                                    |
 |             | > friends in the security world tell me that I should notify the   |
 |             |                                                                    |
 |             | > vendor privately                                                 |
 |             |                                                                    |
 |             | > first. If you feel it isn't a security issue, let me know and    |
 |             | I'll                                                               |
 |             |                                                                    |
 |             | > put it in mantis.                                                |
 |             |                                                                    |
 |             | >                                                                  |
 |             |                                                                    |
 |             | > chan_iax2 assumes that the content of a text frame is a null     |
 |             |                                                                    |
 |             | > terminated                                                       |
 |             |                                                                    |
 |             | > string (C style), and when time comes to forward the string it   |
 |             | uses                                                               |
 |             |                                                                    |
 |             | > strlen                                                           |
 |             |                                                                    |
 |             | > to determine the message length.                                 |
 |             |                                                                    |
 |             | >                                                                  |
 |             |                                                                    |
 |             | > If you send a frame without a 0 byte in it, Asterisk forwards a  |
 |             |                                                                    |
 |             | > frame that                                                       |
 |             |                                                                    |
 |             | > includes the sent data and some extra (presumably heap) data.    |
 |             |                                                                    |
 |             | >                                                                  |
 |             |                                                                    |
 |             | > If an attacker were lucky, the extra data could contain          |
 |             | something                                                          |
 |             |                                                                    |
 |             | > interesting.                                                     |
 |             |                                                                    |
 |             | > Or conceivably it could cause a segmentation violation.          |
 +----------------------------------------------------------------------------------+

 +----------------------------------------------------------------------------------+
 | Resolution | Asterisk code has been modified to enforce null-termination of      |
 |            | incoming text frames received by the IAX2 channel driver            |
 |            | (chan_iax2). When text frames are received without                  |
 |            | null-termination, this may result in the last byte of data in the   |
 |            | frame being lost, if the IAX2 reception process does not have space |
 |            | in its receive buffer to add a null character.                      |
 |            |                                                                     |
 |            | As this vulnerability is of 'low' severity, it does not justify new |
 |            | releases of Asterisk solely for mitigating its impact. The fix for  |
 |            | this vulnerability has been committed to the Asterisk Subversion    |
 |            | source code repositories and is available to all users who wish to  |
 |            | upgrade to a prerelease checkout of the respective development      |
 |            | branch for their release series of Asterisk. All other users can    |
 |            | upgrade when the next regularly scheduled release of their product  |
 |            | is produced.                                                        |
 +----------------------------------------------------------------------------------+

 +----------------------------------------------------------------------------------+
 |                                Affected Versions                                 |
 |----------------------------------------------------------------------------------|
 |             Product              |   Release   |                                 |
 |                                  |   Series    |                                 |
 |----------------------------------+-------------+---------------------------------|
 |       Asterisk Open Source       |    1.0.x    | has not been evaluated as this  |
 |                                  |             | release series is no longer     |
 |                                  |             | maintained                      |
 |----------------------------------+-------------+---------------------------------|
 |       Asterisk Open Source       |    1.2.x    | all releases prior to 1.2.19    |
 |----------------------------------+-------------+---------------------------------|
 |       Asterisk Open Source       |    1.4.x    | all releases prior to 1.4.4     |
 |----------------------------------+-------------+---------------------------------|
 |    Asterisk Business Edition     |    A.x.x    | all releases                    |
 |----------------------------------+-------------+---------------------------------|
 |    Asterisk Business Edition     |    B.x.x    | all releases prior to B.2.1     |
 |----------------------------------+-------------+---------------------------------|
 |           AsteriskNOW            | pre-release | all releases prior to and       |
 |                                  |             | including Beta 5                |
 |----------------------------------+-------------+---------------------------------|
 | Asterisk Appliance Developer Kit |    0.x.x    | all releases prior to 0.4.1     |
 +----------------------------------------------------------------------------------+

 +----------------------------------------------------------------------------------+
 |                                   Corrected In                                   |
 |----------------------------------------------------------------------------------|
 |       Product        |                          Release                          |
 |----------------------+-----------------------------------------------------------|
 | Asterisk Open Source |          1.2.19 and 1.4.4 will be available from          |
 |                      | ftp://ftp.digium.com/pub/telephony/asterisk when released |
 |----------------------+-----------------------------------------------------------|
 |  Asterisk Business   |    B.2.1, will be available from the Asterisk Business    |
 |       Edition        |    Edition user portal on http://www.digium.com or via    |
 |                      |          Digium Technical Support when released           |
 |----------------------+-----------------------------------------------------------|
 |     AsteriskNOW      |  Beta 6, when available from http://www.asterisknow.org,  |
 |                      |   Beta 5 users can use 'System Update' in the appliance   |
 |                      | control panel to update their version of AsteriskNOW when |
 |                      |             Asterisk 1.4.4 has been released              |
 |----------------------+-----------------------------------------------------------|
 |  Asterisk Appliance  |               0.4.1, will be available from               |
 |    Developer Kit     |   ftp://ftp.digium.com/pub/telephony/aadk when released   |
 +----------------------------------------------------------------------------------+

 +----------------------------------------------------------------------------------+
 |        Links         | http://bugs.digium.com/view.php?id=9638                   |
 +----------------------------------------------------------------------------------+

 +----------------------------------------------------------------------------------+
 | Asterisk Project Security Advisories are posted at                               |
 | http://www.asterisk.org/security.                                                |
 |                                                                                  |
 | This document may be superseded by later versions; if so, the latest version     |
 | will be posted at http://ftp.digium.com/pub/asa/ASA-2007-013.pdf.                |
 +----------------------------------------------------------------------------------+

 +----------------------------------------------------------------------------------+
 |                                 Revision History                                 |
 |----------------------------------------------------------------------------------|
 |       Date        |           Editor            |         Revisions Made         |
 |-------------------+-----------------------------+--------------------------------|
 |    May 4, 2007    |    kpfleming@digium.com     | initial release                |
 +----------------------------------------------------------------------------------+

                  Asterisk Project Security Advisory - ASA-2007-013
                 Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.


Comments


Related posts

Back to top

Ready to supercharge your business?

Dialer pricing from only $300 per month!