CVE-2009-2726
Published: 12 August 2009
The SIP channel driver in Asterisk Open Source 1.2.x before 1.2.34, 1.4.x before 1.4.26.1, 1.6.0.x before 1.6.0.12, and 1.6.1.x before 1.6.1.4; Asterisk Business Edition A.x.x, B.x.x before B.2.5.9, C.2.x before C.2.4.1, and C.3.x before C.3.1; and Asterisk Appliance s800i 1.2.x before 1.3.0.3 does not use a maximum width when invoking sscanf style functions, which allows remote attackers to cause a denial of service (stack memory consumption) via SIP packets containing large sequences of ASCII decimal characters, as demonstrated via vectors related to (1) the CSeq value in a SIP header, (2) large Content-Length value, and (3) SDP.
Notes
| Author | Note |
|---|---|
| jdstrand | per the AST, this changes all the scanf functions. Upstream says: "Note that while this potential vulnerability has existed in Asterisk for a very long time, it is only potentially exploitable in 1.6.1 and above, since those versions are the first that have allowed SIP packets to exceed 1500 bytes total, which does not permit strings that are large enough to crash Asterisk." Deferring for now. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
asterisk Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life, was deferred)
|
| hardy |
Ignored
(end of life)
|
|
| intrepid |
Ignored
(end of life, was deferred)
|
|
| jaunty |
Ignored
(end of life, was deferred)
|
|
| karmic |
Not vulnerable
(1.6.2)
|
|
| lucid |
Not vulnerable
(1.6.2)
|
|
| maverick |
Not vulnerable
(1.6.2)
|
|
| natty |
Not vulnerable
(1.6.2)
|
|
| upstream |
Released
(1:1.6.2.0~dfsg~beta4-0ubuntu2)
|
|
|
Patches: upstream: http://downloads.digium.com/pub/security/AST-2009-005-1.4.diff.txt |
||