Asterisk SIP channel driver denial of service

asterisk-sip-channeldriver-dos (32830) The risk level is classified as LowLow Risk

Description:

Asterisk is vulnerable to a denial of service caused by the improper handling of requests by the SIP channel driver. By sending a specially-crafted request to port 5060/UDP, a remote attacker could cause the application to crash.

Platforms Affected:

  • Debian, Debian Linux 3.1
  • Debian, Debian Linux 4.0
  • Digium, Asterisk Open Source 1.2.x
  • Digium, Asterisk Open Source 1.4.x
  • Gentoo, Linux
  • Novell, OpenSUSE 10.2
  • SuSE, SuSE SLES 9

Remedy:

Upgrade to the latest version of Asterisk (1.4.1 or 1.2.16 or later), available from the Asterisk Web site. See References.

For Gentoo Linux:
Refer to Gentoo Linux Security Announcement GLSA 200703-14 for patch, upgrade, or suggested workaround information. See References.

For Debian/GNU Linux:
Refer to DSA-1358-1 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Denial of Service

References:

  • Asterisk Web site, Asterisk 1.2.16 Released at http://asterisk.org/node/48319.
  • Asterisk Web site, Asterisk 1.4.1 Released at http://asterisk.org/node/48320.
  • BID-22838: Asterisk SIP Channel Driver Remote Denial of Service Vulnerability
  • CVE-2007-1306: Asterisk 1.4 before 1.4.1 and 1.2 before 1.2.16 allows remote attackers to cause a denial of service (crash) by sending a Session Initiation Protocol (SIP) packet without a URI and SIP-version header, which results in a NULL pointer dereference.
  • DSA-1358: asterisk -- several vulnerabilities
  • FrSIRT/ADV-2007-0830: Asterisk SIP Channel Driver Request Handling Remote Denial of Service Vulnerability
  • GLSA-200703-14: Asterisk: SIP Denial of Service
  • OSVDB ID: 33888: Asterisk Malformed SIP Register Packet Remote DoS
  • SA24380: Asterisk SIP Message Handling Denial of Service
  • SA24427: EasyVoxBox Asterisk SIP Message Handling Denial of Service
  • SECTRACK ID: 1017723: Asterisk SIP Channel Driver Bug Lets Remote Users Deny Service
  • SUSE-SA:2007:034: Asterisk security update
  • US-CERT VU#228032: Asterisk null pointer dereference remote pre-authentication DoS vulnerability

Reported:

Mar 03, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page