ASA-2007-017: Remote Crash Vulnerability in STUN implementation

           Asterisk Project Security Advisory - ASA-2007-017

±-----------------------------------------------------------------------+
| Product | Asterisk |
|--------------------±--------------------------------------------------|
| Summary | Remote Crash Vulnerability in STUN implementation |
|--------------------±--------------------------------------------------|
| Nature of Advisory | Denial of Service |
|--------------------±--------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|--------------------±--------------------------------------------------|
| Severity | Critical |
|--------------------±--------------------------------------------------|
| Exploits Known | No |
|--------------------±--------------------------------------------------|
| Reported On | July 13, 2007 |
|--------------------±--------------------------------------------------|
| Reported By | Will Drewry, Google Security Team |
|--------------------±--------------------------------------------------|
| Posted On | July 17, 2007 |
|--------------------±--------------------------------------------------|
| Last Updated On | July 17, 2007 |
|--------------------±--------------------------------------------------|
| Advisory Contact | Joshua Colp <[email protected]> |
|--------------------±--------------------------------------------------|
| CVE Name | CVE-2007-3765 |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Description | The Asterisk STUN implementation in the RTP stack has a |
| | remotely exploitable crash vulnerability. A pointer may |
| | run past accessible memory if Asterisk receives a |
| | specially crafted STUN packet on an active RTP port. |
| | |
| | The code that parses the incoming STUN packets |
| | incorrectly checks that the length indicated in the STUN |
| | attribute and the size of the STUN attribute header does |
| | not exceed the available data. This will cause the data |
| | pointer to run past accessible memory and when accessed |
| | will cause a crash. |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Resolution | All users that have chan_sip, chan_gtalk, chan_jingle, |
| | chan_h323, chan_mgcp, or chan_skinny enabled on an |
| | affected version should upgrade to the appropriate |
| | version listed in the correct in section of this |
| | advisory. |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Links | |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security. |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://ftp.digium.com/pub/asa/ASA-2007-017.pdf. |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+

           Asterisk Project Security Advisory - ASA-2007-017
          Copyright (c) 2007 Digium, Inc. All Rights Reserved.

Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.