[VOIPSEC] ASA-2007-019: Remote crash vulnerability in Skinnychannel driver
Zmolek, Andrew (Andy)
zmolek at avaya.com
Fri Aug 10 14:33:51 CDT 2007
I can't help but notice that the Asterisk Project has recently adopted
(apparently since April) the same advisory numbering scheme that Avaya
has been using for over 4 years (since ASA-2003-005 in July 2003),
namely ASA-YYYY-NNN (the difference being that we call one an "Avaya
Security Advisory" rather than an "Asterisk Project Security Advisory")
and I'd like to suggest here that it's a bad idea for both organizations
to use the ASA-YYYY-NNN numbering scheme given the likely potential for
confusion when customers and other stakeholders search on a specific
advisory.
The full list of Avaya Security Advisories from 2000 onward (along with
notification options, policies, etc.) can be found here:
http://support.avaya.com/security - and they are already widely
referenced by the ASA-YYYY-NNN designation by many organizations
globally.
Is there any reason why Asterisk Project Security Advisories can't use
APSA-YYYY-NNN or some other non-overlapping numbering scheme instead?
/\\//\Y/\ Andy Zmolek | zmolek at avaya.com | 303-538-6040
Senior Manager, Security Planning and Strategy
GCS Security Technology Development | Avaya, Inc.
-----Original Message-----
From: voipsec-bounces at voipsa.org [mailto:voipsec-bounces at voipsa.org] On
Behalf Of Security Response Team
Sent: Tuesday, August 07, 2007 4:07 PM
To: voipsec at voipsa.org
Subject: [VOIPSEC] ASA-2007-019: Remote crash vulnerability in
Skinnychannel driver
Asterisk Project Security Advisory - ASA-2007-019
+-----------------------------------------------------------------------
-+
| Product | Asterisk
|
|--------------------+--------------------------------------------------
-|
| Summary | Remote crash vulnerability in Skinny channel
|
| | driver
|
|--------------------+--------------------------------------------------
-|
| Nature of Advisory | Denial of Service
|
|--------------------+--------------------------------------------------
-|
| Susceptibility | Remote Authenticated Sessions
|
|--------------------+--------------------------------------------------
-|
| Severity | Moderate
|
|--------------------+--------------------------------------------------
-|
| Exploits Known | No
|
|--------------------+--------------------------------------------------
-|
| Reported On | August 7, 2007
|
|--------------------+--------------------------------------------------
-|
| Reported By | Wei Wang of McAfee AVERT Labs
|
|--------------------+--------------------------------------------------
-|
| Posted On | August 7, 2007
|
|--------------------+--------------------------------------------------
-|
| Last Updated On | August 7, 2007
|
|--------------------+--------------------------------------------------
-|
| Advisory Contact | Jason Parker <jparker at digium.com>
|
|--------------------+--------------------------------------------------
-|
| CVE Name |
|
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Description | The Asterisk Skinny channel driver, chan_skinny, has
a |
| | remotely exploitable crash vulnerability. A segfault
can |
| | occur when Asterisk receives a
|
| | "CAPABILITIES_RES_MESSAGE" packet where the
capabilities |
| | count is greater than the total number of items in
the |
| | capabilities_res_message array. Note that this
requires |
| | an authenticated session.
|
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Resolution | Asterisk code has been modified to limit the incoming
|
| | capabilities count.
|
| |
|
| | Users with configured Skinny devices should upgrade to
|
| | the appropriate version listed in the corrected in
|
| | section of this advisory.
|
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Affected Versions
|
|-----------------------------------------------------------------------
-|
| Product | Release |
|
| | Series |
|
|----------------------------------+-------------+----------------------
-|
| Asterisk Open Source | 1.0.x | Not affected
|
|----------------------------------+-------------+----------------------
-|
| Asterisk Open Source | 1.2.x | Not affected
|
|----------------------------------+-------------+----------------------
-|
| Asterisk Open Source | 1.4.x | All versions prior
to |
| | | 1.4.10
|
|----------------------------------+-------------+----------------------
-|
| Asterisk Business Edition | A.x.x | Not affected
|
|----------------------------------+-------------+----------------------
-|
| Asterisk Business Edition | B.x.x | Not affected
|
|----------------------------------+-------------+----------------------
-|
| AsteriskNOW | pre-release | All versions prior
to |
| | | beta7
|
|----------------------------------+-------------+----------------------
-|
| Asterisk Appliance Developer Kit | 0.x.x | All versions prior
to |
| | | 0.7.0
|
|----------------------------------+-------------+----------------------
-|
| s800i (Asterisk Appliance) | 1.0.x | All versions prior
to |
| | | 1.0.3
|
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Corrected In
|
|-----------------------------------------------------------------------
-|
| Product | Release
|
|---------------+-------------------------------------------------------
-|
| Asterisk Open | 1.4.10, available from
|
| Source |
http://downloads.digium.com/pub/telephony/asterisk |
|---------------+-------------------------------------------------------
-|
| AsteriskNOW | Beta7, available from
http://www.asterisknow.org/. |
| | Beta5 and Beta6 users can update using the system
|
| | update feature in the appliance control panel.
|
|---------------+-------------------------------------------------------
-|
| Asterisk | 0.7.0, available from
|
| Appliance | http://downloads.digium.com/pub/telephony/aadk
|
| Developer Kit |
|
|---------------+-------------------------------------------------------
-|
| s800i | 1.0.3
|
| (Asterisk |
|
| Appliance) |
|
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Links |
|
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Asterisk Project Security Advisories are posted at
|
| http://www.asterisk.org/security.
|
|
|
| This document may be superseded by later versions; if so, the
latest |
| version will be posted at
|
| http://downloads.digium.com/pub/asa/ASA-2007-019.pdf and
|
| http://downloads.digium.com/pub/asa/ASA-2007-019.html.
|
+-----------------------------------------------------------------------
-+
+-----------------------------------------------------------------------
-+
| Revision History
|
|-----------------------------------------------------------------------
-|
| Date | Editor | Revisions Made
|
|--------------------+------------------------+-------------------------
-|
| August 7, 2007 | jparker at digium.com | Initial Release
|
+-----------------------------------------------------------------------
-+
Asterisk Project Security Advisory - ASA-2007-019
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory
in its
original, unaltered form.
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
More information about the Voipsec
mailing list