ISS X-Force Database: nas-addresource-dos(33050): Network Audio System AddResource() denial of service

Network Audio System AddResource() denial of service

nas-addresource-dos (33050)

Low Risk

Description:

Network Audio System is vulnerable to a denial of service, caused by improper validation of user-supplied input by the AddResource() function. By sending a specially-crafted packet with an invalid client ID, a remote attacker could cause the application to crash.

Platforms Affected:

Canonical, Ubuntu 5.10
Canonical, Ubuntu 6.06 LTS
Canonical, Ubuntu 6.10
Debian, Debian Linux 3.1
Gentoo, Linux
MandrakeSoft, Mandrake Linux 2007 X86_64
MandrakeSoft, Mandrake Linux 2007
Network Audio System, Network Audio System 1.8a and prior

Remedy:

Upgrade to the fixed version of Network Audio System, available from the SVN Repository. See References.

For Debian Linux:
Refer to DSA-1273-1 for patch, upgrade, or suggested workaround information. See References.

For Ubuntu Linux:
Refer to USN-446-1 for patch, upgrade, or suggested workaround information. See References.

For Mandriva Linux (nas):
Refer to MDKSA-2007:065 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux (NAS):
Refer to GLSA 200704-20 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Denial of Service

References:

Luigi Auriemma Advisory 18 Mar 2007, Multiple vulnerabilities in NAS 1.8a (svn 231) at http://aluigi.altervista.org/adv/nasbugs-adv.txt.
Network Audio System Web page, Network Audio System at http://www.radscan.com/nas.html#NASOVIEW.
BID-23017: Network Audio System Local Privilege Escalation and Denial of Service Vulnerabilities
CVE-2007-1545: The AddResource function in server/dia/resource.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (server crash) via a nonexistent client ID.
DSA-1273: nas -- several vulnerabilities
GLSA-200704-20: NAS: Multiple vulnerabilities
MDKSA-2007:065: Updated nas packages address multiple vulnerabilities
SA24527: Network Audio System Multiple Vulnerabilities
SECTRACK ID: 1017822: Network Audio System Bugs Let Remote Users Deny Service or Execute Arbitrary Code
USN-446-1: NAS vulnerabilities
VUPEN/ADV-2007-0997: Network Audio System Multiple Memory Corruption and Denial of Service Vulnerabilities

Reported:

Mar 18, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page