Asterisk 1.2.17 fixes SIP DoS vulnerability

Bug #94792 reported by pirast on 2007-03-22
258
Affects Status Importance Assigned to Milestone
asterisk (Ubuntu)
High
Kees Cook
Breezy
Wishlist
Unassigned
Dapper
High
Kees Cook
Edgy
High
Kees Cook
Feisty
High
Kees Cook

Bug Description

Binary package hint: asterisk

Asterisk 1.2.17 fixes a SIP DoS vulnerability.

See the announcement at http://www.asterisk.org/node/48339

CVE References

pirast (pirast) wrote :

Security change in ChangeLog:

2007-03-14 16:38 +0000 [r58896] Russell Bryant <email address hidden>

 * SECURITY: Add a note to the security file that the Asterisk CLI
   and log files may contain sensitive information, and that people
   should keep this in mind.

Changed in asterisk:
status: Unconfirmed → Confirmed
pirast (pirast) wrote :

Lol, wrong ChangeLog entry.. Extracting the right one..

Changed in asterisk:
importance: Undecided → High
pirast (pirast) wrote :

This looks right:

http://svn.digium.com/view/asterisk/branches/1.2/channels/chan_sip.c?r1=56230&r2=57475

If a SIP message comes in and goes to a method handler that requires additional values that may not be present then send back an error.

Compare http://voipsa.org/pipermail/voipsec_voipsa.org/2007-March/002275.html (also the date).

I will run an exploit against my Asterisk if one available to verify that this patch fixes the problem.

pirast (pirast) wrote :

Sadly I was not able to find an exploit and thus could not make sure that this path fixes the issue.

pirast (pirast) on 2007-03-22
Changed in asterisk:
assignee: nobody → pirast
status: Unconfirmed → Confirmed
importance: Undecided → High
assignee: nobody → pirast
pirast (pirast) wrote :

"hi, pirast: that was indeed the revision that provided a fix for
vulnerability in Mu Security's advisory. Please note that the following
line was changed later on in rev.58052

-transmit_response(p, "503 Server error", req);
+transmit_response(p, "400 Bad request", req "

Changed in asterisk:
status: Confirmed → In Progress
Kees Cook (kees) wrote :

The above commit was what was released for the 1.2.16 update (CVE-2007-1306). I suspect the new issue (which needs a CVE) was fixed with this commit:

http://svn.digium.com/view/asterisk/branches/1.2/channels/chan_sip.c?r1=58115&r2=58579

Note that as described in the announcement, if an invalid IP is included on a connection line, the resulting hp-> deref will segfault without the above return -1.

I imagine using "sipsak", you could produce the needed values. There are some example protocol dumps that include the "c=IN IP4" lines here:

http://www.ietf.org/internet-drafts/draft-ietf-sip-connected-identity-05.txt

pirast (pirast) wrote :

Ho hum, probably that was not the right patch, we already applied it in the previous bug report and it really fixes the (old) exploit. Probably the person I quoted is speaking about the old security problem :(

57475 is included in 1.2.16, searching a new patch now :(

pirast (pirast) wrote :

Lol Kees you were faster than me...

Kees Cook (kees) on 2007-03-22
Changed in asterisk:
assignee: nobody → keescook
importance: Undecided → Medium
status: Unconfirmed → Confirmed
importance: Medium → High
pirast (pirast) wrote :

Here: http://bugs.digium.com/view.php?id=9203

at the bottom it says so..

pirast (pirast) wrote :

Feisty debdiff, please apply :)

Changed in asterisk:
assignee: pirast → nobody
status: In Progress → Confirmed
pirast (pirast) wrote :

Edgy debdiff, please check & apply :)

Changed in asterisk:
assignee: pirast → nobody
Kees Cook (kees) wrote :

Building updates now.

Changed in asterisk:
assignee: nobody → keescook
status: Confirmed → Fix Committed
assignee: nobody → keescook
status: Confirmed → Fix Committed
status: Confirmed → Fix Committed
importance: Undecided → Wishlist
status: Unconfirmed → Rejected
Kees Cook (kees) wrote :

Uploaded to the archive; they should be available soon.

Changed in asterisk:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers