SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (VoIP)  >   Asterisk Vendors:   Digium (Linux Support Services)
Asterisk Lets Remote Users Exhaust All Available File Descriptors
SecurityTracker Alert ID:  1025432
SecurityTracker URL:  http://securitytracker.com/id/1025432
CVE Reference:   CVE-2011-1507   (Links to External Site)
Updated:  Apr 21 2011
Original Entry Date:  Apr 21 2011
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to versions 1.4.40.1, 1.6.1.25, 1.6.2.17.3, 1.8.3.3
Description:   A vulnerability was reported in Asterisk. A remote user can cause denial of service conditions.

A remote user can open a large number of connections to cause Asterisk to consume all available file descriptors and stop processing new calls.

Systems that have the Asterisk Manager Interface, Skinny, SIP over TCP, or the built in HTTP server enabled are affected.

Tzafrir Cohen reported this vulnerability.

Impact:   A remote user can cause the target system to stop processing new calls.
Solution:   The vendor has issued a fix (1.4.40.1, 1.6.1.25, 1.6.2.17.3, 1.8.3.3).

The vendor's advisory is available at:

http://downloads.asterisk.org/pub/security/AST-2011-005.html

Vendor URL:  downloads.asterisk.org/pub/security/AST-2011-005.html (Links to External Site)
Cause:   Resource error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] AST-2011-005: File Descriptor Resource Exhaustion

               Asterisk Project Security Advisory - AST-2011-005

        Product       Asterisk                                                
        Summary       File Descriptor Resource Exhaustion                     
   Nature of Advisory Denial of Service                                       
     Susceptibility   Remote Unauthenticated TCP Based Sessions (TCP SIP,     
                      Skinny, Asterisk Manager Interface, and HTTP sessions)  
        Severity      Moderate                                                
     Exploits Known   Yes                                                     
      Reported On     March 18, 2011                                          
      Reported By     Tzafrir Cohen < tzafrir.cohen AT xorcom DOT com >       
       Posted On      April 21, 2011                                          
    Last Updated On   April 21, 2011                                          
    Advisory Contact  Matthew Nicholson <mnicholson@digium.com>               
        CVE Name      CVE-2011-1507                                           

   Description On systems that have the Asterisk Manager Interface, Skinny,   
               SIP over TCP, or the built in HTTP server enabled, it is       
               possible for an attacker to open as many connections to        
               asterisk as he wishes. This will cause Asterisk to run out of  
               available file descriptors and stop processing any new calls.  
               Additionally, disk space can be exhausted as Asterisk logs     
               failures to open new file descriptors.                         

   Resolution Asterisk can now limit the number of unauthenticated            
              connections to each vulnerable interface and can also limit the 
              time unauthenticated clients will remain connected for some     
              interfaces. This will prevent vulnerable interfaces from using  
              up all available file descriptors. Care should be taken when    
              setting the connection limits so that the combined total of     
              allowed unauthenticated sessions from each service is not more  
              than the file descriptor limit for the Asterisk process. The    
              file descriptor limit can be checked (and set) using the        
              "ulimit -n" command for the process' limit and the              
              "/proc/sys/fs/file-max" file (on Linux) for the system's limit. 
                                                                              
              It will still be possible for an attacker to deny service to    
              each of the vulnerable services individually. To mitigate this  
              risk, vulnerable services should be run behind a firewall that  
              can detect and prevent DoS attacks.                             
                                                                              
              In addition to using a firewall to filter traffic, vulnerable   
              systems can be protected by disabling the vulnerable services   
              in their respective configuration files.                        

                               Affected Versions
                Product              Release Series 
         Asterisk Open Source            1.4.x      All versions              
         Asterisk Open Source           1.6.1.x     All versions              
         Asterisk Open Source           1.6.2.x     All versions              
         Asterisk Open Source            1.8.x      All versions              
       Asterisk Business Edition         C.x.x      All versions              

                                  Corrected In
              Product                               Release                   
        Asterisk Open Source        1.4.40.1, 1.6.1.25, 1.6.2.17.3, 1.8.3.3   
     Asterisk Business Edition                      C.3.6.4                   

                                    Patches                            
                                   URL                                 Branch 
   http://downloads.asterisk.org/pub/security/AST-2011-005-1.4.diff    1.4    
   http://downloads.asterisk.org/pub/security/AST-2011-005-1.6.1.diff  1.6.1  
   http://downloads.asterisk.org/pub/security/AST-2011-005-1.6.2.diff  1.6.2  
   http://downloads.asterisk.org/pub/security/AST-2011-005-1.8.diff    1.8    

   Asterisk Project Security Advisories are posted at                         
   http://www.asterisk.org/security                                           
                                                                              
   This document may be superseded by later versions; if so, the latest       
   version will be posted at                                                  
   http://downloads.digium.com/pub/security/AST-2011-005.pdf and              
   http://downloads.digium.com/pub/security/AST-2011-005.html                 

                                Revision History
          Date                 Editor                  Revisions Made         
   04/21/11           Matthew Nicholson        Initial version                

               Asterisk Project Security Advisory - AST-2011-005
              Copyright (c) 2011 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC