Ubuntu
asterisk package

Asterisk 1.2.17 fixes SIP DoS vulnerability

Bug #94792 reported by magilus on 2007-03-22

258

	Status	Importance	Assigned to
asterisk (Ubuntu)	Fix Released	High	Kees Cook
Breezy	Invalid	Wishlist	Unassigned
Dapper	Fix Released	High	Kees Cook
Edgy	Fix Released	High	Kees Cook
Feisty	Fix Released	High	Kees Cook

Bug Description

Binary package hint: asterisk

Asterisk 1.2.17 fixes a SIP DoS vulnerability.

See the announcement at http://www.asterisk.org/node/48339

CVE References

2007-1561

Revision history for this message

magilus (magilus) wrote on 2007-03-22:

Security change in ChangeLog:

2007-03-14 16:38 +0000 [r58896] Russell Bryant <email address hidden>

* SECURITY: Add a note to the security file that the Asterisk CLI
and log files may contain sensitive information, and that people
should keep this in mind.

Changed in asterisk:
status:	Unconfirmed → Confirmed

Revision history for this message

magilus (magilus) wrote on 2007-03-22:

Lol, wrong ChangeLog entry.. Extracting the right one..

Changed in asterisk:
importance:	Undecided → High

Revision history for this message

magilus (magilus) wrote on 2007-03-22:

This looks right:

http://svn.digium.com/view/asterisk/branches/1.2/channels/chan_sip.c?r1=56230&r2=57475

If a SIP message comes in and goes to a method handler that requires additional values that may not be present then send back an error.

Compare http://voipsa.org/pipermail/voipsec_voipsa.org/2007-March/002275.html (also the date).

I will run an exploit against my Asterisk if one available to verify that this patch fixes the problem.

Revision history for this message

magilus (magilus) wrote on 2007-03-22:

Sadly I was not able to find an exploit and thus could not make sure that this path fixes the issue.

magilus (magilus) on 2007-03-22

Changed in asterisk:
assignee:	nobody → pirast
status:	Unconfirmed → Confirmed
importance:	Undecided → High
assignee:	nobody → pirast

Revision history for this message

magilus (magilus) wrote on 2007-03-22:

"hi, pirast: that was indeed the revision that provided a fix for
vulnerability in Mu Security's advisory. Please note that the following
line was changed later on in rev.58052

-transmit_response(p, "503 Server error", req);
+transmit_response(p, "400 Bad request", req "

Changed in asterisk:
status:	Confirmed → In Progress

Revision history for this message

Kees Cook (kees) wrote on 2007-03-22:

The above commit was what was released for the 1.2.16 update (CVE-2007-1306). I suspect the new issue (which needs a CVE) was fixed with this commit:

http://svn.digium.com/view/asterisk/branches/1.2/channels/chan_sip.c?r1=58115&r2=58579

Note that as described in the announcement, if an invalid IP is included on a connection line, the resulting hp-> deref will segfault without the above return -1.

I imagine using "sipsak", you could produce the needed values. There are some example protocol dumps that include the "c=IN IP4" lines here:

http://www.ietf.org/internet-drafts/draft-ietf-sip-connected-identity-05.txt

Revision history for this message

magilus (magilus) wrote on 2007-03-22:

Ho hum, probably that was not the right patch, we already applied it in the previous bug report and it really fixes the (old) exploit. Probably the person I quoted is speaking about the old security problem :(

57475 is included in 1.2.16, searching a new patch now :(

Revision history for this message

magilus (magilus) wrote on 2007-03-22:

Lol Kees you were faster than me...

Kees Cook (kees) on 2007-03-22

Changed in asterisk:
assignee:	nobody → keescook
importance:	Undecided → Medium
status:	Unconfirmed → Confirmed
importance:	Medium → High

Revision history for this message

magilus (magilus) wrote on 2007-03-23:

Kees, you were right, http://svn.digium.com/view/asterisk/branches/1.2/channels/chan_sip.c?r1=58115&r2=58579 fixes the issue.

Revision history for this message

magilus (magilus) wrote on 2007-03-23:

#10

Here: http://bugs.digium.com/view.php?id=9203

at the bottom it says so..

Revision history for this message

magilus (magilus) wrote on 2007-03-23:

#11

Debdiff for Feisty fixing the issue Edit (1.9 KiB, text/plain)

Feisty debdiff, please apply :)

Changed in asterisk:
assignee:	pirast → nobody
status:	In Progress → Confirmed

Revision history for this message

magilus (magilus) wrote on 2007-03-23:

#12

Debdiff for Edgy fixing the issue Edit (2.0 KiB, text/plain)

Edgy debdiff, please check & apply :)

Changed in asterisk:
assignee:	pirast → nobody

Revision history for this message

Kees Cook (kees) wrote on 2007-03-24:

#13

Building updates now.

Changed in asterisk:
assignee:	nobody → keescook
status:	Confirmed → Fix Committed
assignee:	nobody → keescook
status:	Confirmed → Fix Committed
status:	Confirmed → Fix Committed
importance:	Undecided → Wishlist
status:	Unconfirmed → Rejected

Revision history for this message

Kees Cook (kees) wrote on 2007-03-25:

#14

Uploaded to the archive; they should be available soon.

Changed in asterisk:
status:	Fix Committed → Fix Released
status:	Fix Committed → Fix Released
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuasterisk package

Asterisk 1.2.17 fixes SIP DoS vulnerability

Bug Description

CVE References

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
asterisk package