SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (VoIP)  >   Asterisk Vendors:   Digium (Linux Support Services)
Asterisk IMAP Voicemail Storage Bug Lets Remote Users Deny Service
SecurityTracker Alert ID:  1018606
SecurityTracker URL:  http://securitytracker.com/id/1018606
CVE Reference:   CVE-2007-4521   (Links to External Site)
Updated:  Mar 26 2008
Original Entry Date:  Aug 25 2007
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.4.11 and prior
Description:   A vulnerability was reported in Asterisk. A remote user can cause denial of service conditions.

When Asterisk uses IMAP as the backend storage for voicemail, a remote user can send an e-mail message with a specially crafted MIME body. When the target user listens to their voicemail using the phone, Asterisk will crash.

Other voicemail storage options are not affected. Checking of voicemail via e-mail is also not affected.

Kevin Stewart reported this vulnerability.

Impact:   A remote user can cause Asterisk to crash.
Solution:   A patch is available at:

http://lists.digium.com/pipermail/asterisk-commits/2007-August/015743.html

The vendor plans to issue a fix in the upcoming 1.4.12 release.

The Asterisk advisory is available at:

http://downloads.digium.com/pub/asa/AST-2007-021.html

Vendor URL:  downloads.digium.com/pub/asa/AST-2007-021.html (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Linux (Any), UNIX (AIX)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] AST-2007-021: Crash from invalid/corrupted MIME

+-----------------------------------------------------------------------------------+
|                                   Corrected In                                    |
|-----------------------------------------------------------------------------------|
|Product |                                 Release                                  |
|--------+--------------------------------------------------------------------------|
|Asterisk|             1.4.12 (not released), patch can be found here:              |
|  Open  |http://lists.digium.com/pipermail/asterisk-commits/2007-August/015743.html|
| Source |                                                                          |
|--------+--------------------------------------------------------------------------|
|--------+--------------------------------------------------------------------------|
+-----------------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |      Links       | http://bugs.digium.com/view.php?id=10544            |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security.                                      |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/asa/AST-2007-021.pdf and               |
   | http://downloads.digium.com/pub/asa/AST-2007-021.html.                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |         Date         |       Editor        |      Revisions Made       |
   |----------------------+---------------------+---------------------------|
   | August 24, 2007      | Mark Michelson      | Initial Release           |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2007-021
              Copyright (c) 2007 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC