ASTERWEB Blog

5Feb/16Off

AST-2016-003: Remote crash vulnerability when receiving UDPTL FAX data

               Asterisk Project Security Advisory - AST-2016-003


         Product        Asterisk

         Summary        Remote crash vulnerability when receiving UDPTL FAX

                        data.

    Nature of Advisory  Denial of Service

      Susceptibility    Remote Authenticated Sessions

         Severity       Minor

      Exploits Known    Yes

       Reported On      December 2, 2015

       Reported By      Walter Dokes, Torrey Searle

        Posted On       February 3, 2016

     Last Updated On    February 3, 2016

     Advisory Contact   Richard Mudgett <rmudgett AT digium DOT com>

         CVE Name       Pending                                               


    Description  If no UDPTL packets are lost there is no problem. However,

                 a lost packet causes Asterisk to use the available error

                 correcting redundancy packets. If those redundancy packets

                 have zero length then Asterisk uses an uninitialized buffer

                 pointer and length value which can cause invalid memory

                 accesses later when the packet is copied.                    


    Resolution  Upgrade to a released version with the fix incorporated or

                apply patch.                                                  


                               Affected Versions

                         Product                       Release

                                                       Series

                  Asterisk Open Source                  1.8.x   All versions

                  Asterisk Open Source                  11.x    All versions

                  Asterisk Open Source                  12.x    All versions

                  Asterisk Open Source                  13.x    All versions

                   Certified Asterisk                  1.8.28   All versions

                   Certified Asterisk                   11.6    All versions

                   Certified Asterisk                   13.1    All versions  


                                  Corrected In

          Product                              Release

    Asterisk Open Source                   11.21.1, 13.7.1

     Certified Asterisk                11.6-cert12, 13.1-cert3                


                                      Patches

                                 SVN URL                               Revision

   http://downloads.asterisk.org/pub/security/AST-2016-003-1.8.28.diff Certified

                                                                       Asterisk

                                                                       1.8.28

   http://downloads.asterisk.org/pub/security/AST-2016-003-11.6.diff   Certified

                                                                       Asterisk

                                                                       11.6

   http://downloads.asterisk.org/pub/security/AST-2016-003-13.1.diff   Certified

                                                                       Asterisk

                                                                       13.1

   http://downloads.asterisk.org/pub/security/AST-2016-003-1.8.diff    Asterisk

                                                                       1.8

   http://downloads.asterisk.org/pub/security/AST-2016-003-11.diff     Asterisk

                                                                       11

   http://downloads.asterisk.org/pub/security/AST-2016-003-12.diff     Asterisk

                                                                       12

   http://downloads.asterisk.org/pub/security/AST-2016-003-13.diff     Asterisk

                                                                       13        


    Links  https://issues.asterisk.org/jira/browse/ASTERISK-25603             


    Asterisk Project Security Advisories are posted at

    http://www.asterisk.org/security                                          


    This document may be superseded by later versions; if so, the latest

    version will be posted at

    http://downloads.digium.com/pub/security/AST-2016-003.pdf and

    http://downloads.digium.com/pub/security/AST-2016-003.html

Inserito in: Asterisk, Asterisk - Sicurezza Disabilita commenti
Commenti (0) Trackback (0)

Spiacenti, il modulo dei commenti è chiuso per ora.

Ancora nessun trackback.

» «

Pagine

Categorie

Blogroll

Archivio

Meta