Asterisk Buffer Overflow in Processing RTP Codec Payload Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1019628
|
|
SecurityTracker URL: http://securitytracker.com/id?1019628
|
|
CVE Reference: CVE-2008-1289
(Links to External Site)
|
Date: Mar 18 2008
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 1.6.0-beta6
|
Description: A vulnerability was reported in Asterisk in the processing of RTP payloads. A remote user can execute arbitrary code on the target system.
A remote user can send a specially crafted RTP payload number or send more than 32 RTP payloads to trigger a buffer overflow and
execute arbitrary code on the target system. The code will run with the privileges of the target service.
The vendor was notified
on March 11, 2008.
Mu Security Research Team reported this vulnerability.
|
Impact: A remote user can execute arbitrary code on the target system.
|
Solution: The vendor has issued a fix (1.4.18.1, 1.4.19-rc3, and 1.6.0-beta6), available at:
http://downloads.digium.com/pub/telephony/asterisk
The vendor's advisory is available at:
http://downloads.digium.com/pub/security/AST-2008-002.html
|
Vendor URL: downloads.digium.com/pub/security/AST-2008-002.html (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 18 Mar 2008 14:39:31 -0500
Subject: Asterisk Project Security Advisory - AST-2008-002
|
http://downloads.digium.com/pub/security/AST-2008-002.html
|
|
