CVE-2009-2726: Asterisk SIP Channel Driver Denial of Service

Related Vulnerabilities: CVE-2009-2726  

Debian Bug report logs - #541441
CVE-2009-2726: Asterisk SIP Channel Driver Denial of Service

version graph

Reported by: Giuseppe Iuculano <giuseppe@iuculano.it>

Date: Fri, 14 Aug 2009 08:57:02 UTC

Severity: serious

Tags: security

Found in version asterisk/1:1.6.1.0~dfsg-1

Fixed in version asterisk/1:1.6.2.0~dfsg~rc1-1

Done: Faidon Liambotis <paravoid@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#541441; Package asterisk. (Fri, 14 Aug 2009 08:57:04 GMT) (full text, mbox, link).


Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Fri, 14 Aug 2009 08:57:04 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2009-2726: Asterisk SIP Channel Driver Denial of Service
Date: Fri, 14 Aug 2009 10:51:55 +0200
Package: asterisk
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for asterisk.

CVE-2009-2726[0]:
| The SIP channel driver in Asterisk Open Source 1.2.x before 1.2.34,
| 1.4.x before 1.4.26.1, 1.6.0.x before 1.6.0.12, and 1.6.1.x before
| 1.6.1.4; Asterisk Business Edition A.x.x, B.x.x before B.2.5.9, C.2.x
| before C.2.4.1, and C.3.x before C.3.1; and Asterisk Appliance s800i
| 1.2.x before 1.3.0.3 does not use a maximum width when invoking sscanf
| style functions, which allows remote attackers to cause a denial of
| service (stack memory consumption) via SIP packets containing large
| sequences of ASCII decimal characters, as demonstrated via vectors
| related to (1) the CSeq value in a SIP header, (2) large
| Content-Length value, and (3) SDP.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2726
    http://security-tracker.debian.net/tracker/CVE-2009-2726

Cheers,
Giuseppe

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqFJagACgkQNxpp46476aqfQgCfZWL0q6UVuBA6xoRE/GwoxYhX
dEYAnigAWnQbYF0SS/n+nZXcweMCdRx1
=gCe6
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#541441; Package asterisk. (Fri, 14 Aug 2009 13:36:02 GMT) (full text, mbox, link).


Acknowledgement sent to Faidon Liambotis <paravoid@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Fri, 14 Aug 2009 13:36:02 GMT) (full text, mbox, link).


Message #10 received at 541441@bugs.debian.org (full text, mbox, reply):

From: Faidon Liambotis <paravoid@debian.org>
To: 541441@bugs.debian.org
Cc: Giuseppe Iuculano <giuseppe@iuculano.it>, security@debian.org
Subject: Re: Bug#541441: CVE-2009-2726: Asterisk SIP Channel Driver Denial of Service
Date: Fri, 14 Aug 2009 16:32:25 +0300
That's AST-2009-005[1], which mentions:

> Note that while this potential vulnerability has existed in Asterisk for
> a very long time, it is only potentially exploitable in 1.6.1 and above,
> since those versions are the first that have allowed SIP packets to
> exceed 1500 bytes total, which does not permit strings that are large
> enough to crash Asterisk. (The number strings presented to us by the
> security researcher were approximately 32,000 bytes long.)
> 
> Additionally note that while this can crash Asterisk, execution of
> arbitrary code is not possible with this vector.
Hence, I don't think it warrants a security update for stable/oldstable.

Unstable is vulnerable though, I'll prepare a fix.

Regards,
Faidon

1: http://downloads.asterisk.org/pub/security/AST-2009-005.html






Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#541441; Package asterisk. (Fri, 21 Aug 2009 18:45:18 GMT) (full text, mbox, link).


Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Fri, 21 Aug 2009 18:45:18 GMT) (full text, mbox, link).


Message #15 received at 541441@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Faidon Liambotis <paravoid@debian.org>
Cc: 541441@bugs.debian.org, Giuseppe Iuculano <giuseppe@iuculano.it>, security@debian.org
Subject: Re: Bug#541441: CVE-2009-2726: Asterisk SIP Channel Driver Denial of Service
Date: Fri, 21 Aug 2009 20:40:37 +0200
On Fri, Aug 14, 2009 at 04:32:25PM +0300, Faidon Liambotis wrote:
> That's AST-2009-005[1], which mentions:
> 
> > Note that while this potential vulnerability has existed in Asterisk for
> > a very long time, it is only potentially exploitable in 1.6.1 and above,
> > since those versions are the first that have allowed SIP packets to
> > exceed 1500 bytes total, which does not permit strings that are large
> > enough to crash Asterisk. (The number strings presented to us by the
> > security researcher were approximately 32,000 bytes long.)
> > 
> > Additionally note that while this can crash Asterisk, execution of
> > arbitrary code is not possible with this vector.
> Hence, I don't think it warrants a security update for stable/oldstable.
> 
> Unstable is vulnerable though, I'll prepare a fix.

Thanks, added to the tracker.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#541441; Package asterisk. (Fri, 21 Aug 2009 20:12:13 GMT) (full text, mbox, link).


Acknowledgement sent to "Gary Herbstman" <garyh@bytesolutions.com>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Fri, 21 Aug 2009 20:12:13 GMT) (full text, mbox, link).


Message #20 received at 541441@bugs.debian.org (full text, mbox, reply):

From: "Gary Herbstman" <garyh@bytesolutions.com>
To: "Moritz Muehlenhoff" <jmm@inutil.org>, <541441@bugs.debian.org>, "Faidon Liambotis" <paravoid@debian.org>
Cc: "Giuseppe Iuculano" <giuseppe@iuculano.it>, <security@debian.org>
Subject: RE: Bug#541441: CVE-2009-2726: Asterisk SIP Channel Driver Denial ofService
Date: Fri, 21 Aug 2009 15:51:37 -0400
This pretty clearly states the recipients mailbox does not exist. This
kind of message is typically accurate.

Have we double checked the recipient is not having a problem??

-----Original Message-----
From: Moritz Muehlenhoff [mailto:jmm@inutil.org] 
Sent: Friday, August 21, 2009 14:41
To: Faidon Liambotis
Cc: 541441@bugs.debian.org; Giuseppe Iuculano; security@debian.org
Subject: Bug#541441: CVE-2009-2726: Asterisk SIP Channel Driver Denial
ofService

On Fri, Aug 14, 2009 at 04:32:25PM +0300, Faidon Liambotis wrote:
> That's AST-2009-005[1], which mentions:
> 
> > Note that while this potential vulnerability has existed in Asterisk

> > for a very long time, it is only potentially exploitable in 1.6.1 
> > and above, since those versions are the first that have allowed SIP 
> > packets to exceed 1500 bytes total, which does not permit strings 
> > that are large enough to crash Asterisk. (The number strings 
> > presented to us by the security researcher were approximately 32,000

> > bytes long.)
> > 
> > Additionally note that while this can crash Asterisk, execution of 
> > arbitrary code is not possible with this vector.
> Hence, I don't think it warrants a security update for
stable/oldstable.
> 
> Unstable is vulnerable though, I'll prepare a fix.

Thanks, added to the tracker.

Cheers,
        Moritz







Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#541441; Package asterisk. (Sat, 12 Sep 2009 21:48:15 GMT) (full text, mbox, link).


Acknowledgement sent to Tzafrir Cohen <tzafrir.cohen@xorcom.com>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Sat, 12 Sep 2009 21:48:15 GMT) (full text, mbox, link).


Message #25 received at 541441@bugs.debian.org (full text, mbox, reply):

From: Tzafrir Cohen <tzafrir.cohen@xorcom.com>
To: control@bugs.debian.org
Cc: 532971@bugs.debian.org, 539150@bugs.debian.org, 539473@bugs.debian.org, 541441@bugs.debian.org
Subject: setting package to asterisk-dbg asterisk-config asterisk-doc asterisk-dev asterisk asterisk-sounds-main asterisk-h423 ...
Date: Sun, 13 Sep 2009 00:42:13 +0300
# Automatically generated email from bts, devscripts version 2.10.35lenny3
# via tagpending 
#
# asterisk (1:1.6.2.0~dfsg~rc1-1) UNRELEASED; urgency=low
#
#  * New upstream release.
#    - Fixes CVE-2009-2726 aka AST-2009-005 (Closes: #541441).
#    - Ship CC BY-SA 3.0 licensed music-on-hold sounds, replacing the old
#      non-free FreePlay Music that were never distributed by Debian.
#    - Removed patches/makefile_appdocs_dtd (merged upstream) and
#      patches/disable_moh (obsoleted, see above).
#  * Fix FTBFS on armel. (Closes: #532971)
#  * Fix name of voicemail 'openssl' dep. (Thomas Renard) (Closes: #539150)
#  * Patch AST-2009-006: Closes: #539473 but breaks IAX2 compatibility. 

package asterisk-dbg asterisk-config asterisk-doc asterisk-dev asterisk asterisk-sounds-main asterisk-h423
tags 541441 + pending
tags 532971 + pending
tags 539150 + pending
tags 539473 + pending





Added tag(s) pending. Request was from Tzafrir Cohen <tzafrir.cohen@xorcom.com> to control@bugs.debian.org. (Sat, 12 Sep 2009 21:48:16 GMT) (full text, mbox, link).


Reply sent to Faidon Liambotis <paravoid@debian.org>:
You have taken responsibility. (Sun, 13 Sep 2009 00:24:16 GMT) (full text, mbox, link).


Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Sun, 13 Sep 2009 00:24:16 GMT) (full text, mbox, link).


Message #32 received at 541441-close@bugs.debian.org (full text, mbox, reply):

From: Faidon Liambotis <paravoid@debian.org>
To: 541441-close@bugs.debian.org
Subject: Bug#541441: fixed in asterisk 1:1.6.2.0~dfsg~rc1-1
Date: Sun, 13 Sep 2009 00:02:26 +0000
Source: asterisk
Source-Version: 1:1.6.2.0~dfsg~rc1-1

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:

asterisk-config_1.6.2.0~dfsg~rc1-1_all.deb
  to pool/main/a/asterisk/asterisk-config_1.6.2.0~dfsg~rc1-1_all.deb
asterisk-dbg_1.6.2.0~dfsg~rc1-1_i386.deb
  to pool/main/a/asterisk/asterisk-dbg_1.6.2.0~dfsg~rc1-1_i386.deb
asterisk-dev_1.6.2.0~dfsg~rc1-1_all.deb
  to pool/main/a/asterisk/asterisk-dev_1.6.2.0~dfsg~rc1-1_all.deb
asterisk-doc_1.6.2.0~dfsg~rc1-1_all.deb
  to pool/main/a/asterisk/asterisk-doc_1.6.2.0~dfsg~rc1-1_all.deb
asterisk-h423_1.6.2.0~dfsg~rc1-1_i386.deb
  to pool/main/a/asterisk/asterisk-h423_1.6.2.0~dfsg~rc1-1_i386.deb
asterisk-sounds-main_1.6.2.0~dfsg~rc1-1_all.deb
  to pool/main/a/asterisk/asterisk-sounds-main_1.6.2.0~dfsg~rc1-1_all.deb
asterisk_1.6.2.0~dfsg~rc1-1.diff.gz
  to pool/main/a/asterisk/asterisk_1.6.2.0~dfsg~rc1-1.diff.gz
asterisk_1.6.2.0~dfsg~rc1-1.dsc
  to pool/main/a/asterisk/asterisk_1.6.2.0~dfsg~rc1-1.dsc
asterisk_1.6.2.0~dfsg~rc1-1_i386.deb
  to pool/main/a/asterisk/asterisk_1.6.2.0~dfsg~rc1-1_i386.deb
asterisk_1.6.2.0~dfsg~rc1.orig.tar.gz
  to pool/main/a/asterisk/asterisk_1.6.2.0~dfsg~rc1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 541441@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Faidon Liambotis <paravoid@debian.org> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 13 Sep 2009 02:22:17 +0300
Source: asterisk
Binary: asterisk asterisk-h423 asterisk-doc asterisk-dev asterisk-dbg asterisk-sounds-main asterisk-config
Architecture: source all i386
Version: 1:1.6.2.0~dfsg~rc1-1
Distribution: unstable
Urgency: low
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Faidon Liambotis <paravoid@debian.org>
Description: 
 asterisk   - Open Source Private Branch Exchange (PBX)
 asterisk-config - Configuration files for Asterisk
 asterisk-dbg - Debugging symbols for Asterisk
 asterisk-dev - Development files for Asterisk
 asterisk-doc - Source code documentation for Asterisk
 asterisk-h423 - H.323 protocol support for Asterisk
 asterisk-sounds-main - Core Sound files for Asterisk (English)
Closes: 532971 539150 539473 541441
Changes: 
 asterisk (1:1.6.2.0~dfsg~rc1-1) unstable; urgency=low
 .
   [ Faidon Liambotis ]
   * New upstream release.
     - Fixes CVE-2009-2726 aka AST-2009-005 (Closes: #541441).
     - Ship CC BY-SA 3.0 licensed music-on-hold sounds, replacing the old
       non-free FreePlay Music that were never distributed by Debian.
     - Removed patches/makefile_appdocs_dtd (merged upstream) and
       patches/disable_moh (obsoleted, see above).
   * Fix FTBFS on armel. (Closes: #532971)
   * Bump Standards-Version to 3.8.3, no changes needed.
   * Provides: asterisk-1.6.2, instead of 1.6.1; there are no ABI gurantees
     between 1.6.x releases.
   * Remove references of Section: comm in individual binary packages as it is
     inherited from the source package.
 .
   [ Tzafrir Cohen ]
   * Patch hardware_dtmf_mute_fix removed: Applied upstream.
   * No need for a separate app_directory_odbc (will use app_voicemail_odbc).
   * Fix name of voicemail 'openssl' dep. (Thomas Renard) (Closes: #539150)
   * Patch AST-2009-006: breaks IAX2 compatibility, note it in NEWS.Debian.
     (Closes: #539473)
Checksums-Sha1: 
 e20967a93e0587d5f3e10772d4184307acac1883 2102 asterisk_1.6.2.0~dfsg~rc1-1.dsc
 991fc1f0a82f2388302c38e553287a357db3c4b2 22626309 asterisk_1.6.2.0~dfsg~rc1.orig.tar.gz
 8065b96a58675496e55bfc5b6a538739e6cf5780 80269 asterisk_1.6.2.0~dfsg~rc1-1.diff.gz
 bbfbaee5599eff515f669645e10c7a37e04fbd9e 1619684 asterisk-doc_1.6.2.0~dfsg~rc1-1_all.deb
 8a5f5e6591f1f08a79a336f7674d68ddc7907f14 532718 asterisk-dev_1.6.2.0~dfsg~rc1-1_all.deb
 58301afdd738849a0454d23d11a127a8b4531e1a 2042140 asterisk-sounds-main_1.6.2.0~dfsg~rc1-1_all.deb
 c330f74e8abc7b6abb1508ab79c1c0da157e7fcb 601162 asterisk-config_1.6.2.0~dfsg~rc1-1_all.deb
 81814709d14270f5a48a40b8b8e5d5871cbe243b 3364074 asterisk_1.6.2.0~dfsg~rc1-1_i386.deb
 e040369c02de4abdb4aba39bf0d514cf76915935 427472 asterisk-h423_1.6.2.0~dfsg~rc1-1_i386.deb
 b3452fabc0abc28e42d4dcfb9e3f8b54dbd71f6a 21247064 asterisk-dbg_1.6.2.0~dfsg~rc1-1_i386.deb
Checksums-Sha256: 
 e174918021c752cbe2a8eba17c41d1f2899e2289795538de5dd1ce148a0f228f 2102 asterisk_1.6.2.0~dfsg~rc1-1.dsc
 f6c912954add4b515e9bc9bc8f9d9055f7b8ff011a85d43e649a86143e86b43f 22626309 asterisk_1.6.2.0~dfsg~rc1.orig.tar.gz
 0f56079e3ae5cb49ac285610d3fb2c8f6b1ddbd4ca25e29d8ce69d045589fb57 80269 asterisk_1.6.2.0~dfsg~rc1-1.diff.gz
 b39b8cb1f0ce978557a5111ac9683659f27c32d140617a2f22fa22cf32a03095 1619684 asterisk-doc_1.6.2.0~dfsg~rc1-1_all.deb
 56436524855458954f54d1363fd51c87e6cfa728069f83a0e63643e0bc0e0900 532718 asterisk-dev_1.6.2.0~dfsg~rc1-1_all.deb
 165fdaba87dd7d345a48d8564cf62e8176d43a022dd3f676924982fcca74bd1c 2042140 asterisk-sounds-main_1.6.2.0~dfsg~rc1-1_all.deb
 b8cf7703b9c278a63fe5b9f077fa59b554e7430c8c7a363864d2dae9fdf5923f 601162 asterisk-config_1.6.2.0~dfsg~rc1-1_all.deb
 30e6dc5d329e49751b523c35d1fddabd99ec454defb2e0136c40fd4fe9ef3412 3364074 asterisk_1.6.2.0~dfsg~rc1-1_i386.deb
 6e8b500c2d53f0507594c8b7eaee0d17e03ecc980999ce6d8d7f3b62025b0f7e 427472 asterisk-h423_1.6.2.0~dfsg~rc1-1_i386.deb
 40b9dcb82fd967d6353e255e3659f4b0d5d9257478d129a74003fd91fb23dac1 21247064 asterisk-dbg_1.6.2.0~dfsg~rc1-1_i386.deb
Files: 
 9cef842ff291527a5a7230d97a1a7242 2102 comm optional asterisk_1.6.2.0~dfsg~rc1-1.dsc
 2db6571b1cc0fd5d1f8851424d6d343a 22626309 comm optional asterisk_1.6.2.0~dfsg~rc1.orig.tar.gz
 e8a6ae097e9624d9ee403f199a3b075d 80269 comm optional asterisk_1.6.2.0~dfsg~rc1-1.diff.gz
 36ee42bb54fea845e4c35c6dcfd36309 1619684 doc extra asterisk-doc_1.6.2.0~dfsg~rc1-1_all.deb
 719fcf609e028969454c309a9aaa78ab 532718 devel extra asterisk-dev_1.6.2.0~dfsg~rc1-1_all.deb
 2ab2f7dfe786c5bf23a4e8617e9e2f29 2042140 comm optional asterisk-sounds-main_1.6.2.0~dfsg~rc1-1_all.deb
 b10be7705922db03c945aa8037a3444c 601162 comm optional asterisk-config_1.6.2.0~dfsg~rc1-1_all.deb
 dd66e995cf2ec8ecae412bd618653b6c 3364074 comm optional asterisk_1.6.2.0~dfsg~rc1-1_i386.deb
 e9e34fa93d5dda4f42cf5cc242c4b6d0 427472 comm optional asterisk-h423_1.6.2.0~dfsg~rc1-1_i386.deb
 81b4b8207e6030d18c572433602aeb36 21247064 debug extra asterisk-dbg_1.6.2.0~dfsg~rc1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqsM+oACgkQVty5d8XpUzMQOACfff2J7r9h4VzyH8Pplv0qwujw
y1wAnAki7MjDlukPnIhM9qOz6Tn6Wo5A
=Ea4V
-----END PGP SIGNATURE-----





Bug Marked as found in versions asterisk/1:1.6.1.0~dfsg-1. Request was from Faidon Liambotis <paravoid@debian.org> to control@bugs.debian.org. (Sat, 07 Nov 2009 09:12:08 GMT) (full text, mbox, link).


Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 06 Dec 2009 07:32:12 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:44:34 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.