SecurityvulnsSECURITYVULNS:DOC:22855AST-2009-010: RTP Remote Crash Vulnerability
Asterisk Project Security Advisory - AST-2009-010
±-----------------------------------------------------------------------+
| Product | Asterisk |
|----------------------±------------------------------------------------|
| Summary | RTP Remote Crash Vulnerability |
|----------------------±------------------------------------------------|
| Nature of Advisory | Denial of Service |
|----------------------±------------------------------------------------|
| Susceptibility | Remote unauthenticated sessions |
|----------------------±------------------------------------------------|
| Severity | Critical |
|----------------------±------------------------------------------------|
| Exploits Known | No |
|----------------------±------------------------------------------------|
| Reported On | November 13, 2009 |
|----------------------±------------------------------------------------|
| Reported By | issues.asterisk.org user amorsen |
|----------------------±------------------------------------------------|
| Posted On | November 30, 2009 |
|----------------------±------------------------------------------------|
| Last Updated On | November 30, 2009 |
|----------------------±------------------------------------------------|
| Advisory Contact | David Vossel < dvossel AT digium DOT com > |
|----------------------±------------------------------------------------|
| CVE Name | CVE-2009-4055 |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
| Description | An attacker sending a valid RTP comfort noise payload |
| | containing a data length of 24 bytes or greater can |
| | remotely crash Asterisk. |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
| Resolution | Upgrade to one of the versions of Asterisk listed in the |
| | "Corrected In" section, or apply a patch specified in the |
| | "Patches" section. |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
| Affected Versions |
|---|
| Product |
| ----------------------------------±---------------±------------------- |
| Asterisk Open Source |
| ----------------------------------±---------------±------------------- |
| Asterisk Open Source |
| ----------------------------------±---------------±------------------- |
| Asterisk Open Source |
| ----------------------------------±---------------±------------------- |
| Asterisk Business Edition |
| ----------------------------------±---------------±------------------- |
| Asterisk Business Edition |
| ----------------------------------±---------------±------------------- |
| s800i (Asterisk Appliance) |
| ±-----------------------------------------------------------------------+ |
±-----------------------------------------------------------------------+
| Corrected In |
|---|
| Product |
| ---------------------------------------------±------------------------- |
| Asterisk Open Source |
| ---------------------------------------------±------------------------- |
| Asterisk Open Source |
| ---------------------------------------------±------------------------- |
| Asterisk Open Source |
| ---------------------------------------------±------------------------- |
| Asterisk Open Source |
| ---------------------------------------------±------------------------- |
| Asterisk Business Edition |
| ---------------------------------------------±------------------------- |
| Asterisk Business Edition |
| ---------------------------------------------±------------------------- |
| Asterisk Business Edition |
| ---------------------------------------------±------------------------- |
| S800i (Asterisk Appliance) |
| ±-----------------------------------------------------------------------+ |
±----------------------------------------------------------------------------+
| Patches |
|---|
| Link |
| ----------------------------------------------------------------------±----- |
| http://downloads.asterisk.org/pub/security/AST-2009-010-1.2.diff.txt |
| ----------------------------------------------------------------------±----- |
| http://downloads.asterisk.org/pub/security/AST-2009-010-1.4.diff.txt |
| ----------------------------------------------------------------------±----- |
| http://downloads.asterisk.org/pub/security/AST-2009-010-1.6.0.diff.txt |
| ----------------------------------------------------------------------±----- |
| http://downloads.asterisk.org/pub/security/AST-2009-010-1.6.1.diff.txt |
| ±----------------------------------------------------------------------------+ |
±-----------------------------------------------------------------------+
| Links | https://issues.asterisk.org/view.php?id=16242 |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2009-010.pdf and |
| http://downloads.digium.com/pub/security/AST-2009-010.html |
±-----------------------------------------------------------------------+
±-----------------------------------------------------------------------+
| Revision History |
|---|
| Date |
| ------------------±--------------------±------------------------------ |
| 2009-09-03 |
| ±-----------------------------------------------------------------------+ |
Asterisk Project Security Advisory - AST-2009-010
Copyright (c) 2009 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
Related
