Asterisk SIP对话历史记录资源耗尽漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1189361 漏洞类型 设计错误
发布时间 2007-08-21 更新时间 2007-08-31
CVE编号 CVE-2007-4455 CNNVD-ID CNNVD-200708-348
漏洞平台 N/A CVSS评分 5.0
|漏洞来源
https://www.securityfocus.com/bid/25392
https://cxsecurity.com/issue/WLB-2007080001
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200708-348
|漏洞详情
Asterisk是开放源码的软件PBX,支持各种VoIP协议和设备。Asterisk在记录日志功能的实现上存在漏洞,远程攻击者可能利用此漏洞导致设备不可用。无论是打开还是关闭了记录SIP对话历史这个功能,Asterisk都允许用户在内存中记录历史,且对记录的条目没有设置上限,因此攻击者可以创建会在历史中记录很多条目的SIP对话,导致耗尽所有的系统内存。
|漏洞EXP
               Asterisk Project Security Advisory - AST-2007-020

   +------------------------------------------------------------------------+
   |      Product       | Asterisk                                          |
   |--------------------+---------------------------------------------------|
   |      Summary       | Resource Exhaustion vulnerability in SIP channel  |
   |                    | driver                                            |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Denial of Service                                 |
   |--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote Unauthenticated Sessions                   |
   |--------------------+---------------------------------------------------|
   |      Severity      | Moderate                                          |
   |--------------------+---------------------------------------------------|
   |   Exploits Known   | No                                                |
   |--------------------+---------------------------------------------------|
   |    Reported On     | August 9, 2007                                    |
   |--------------------+---------------------------------------------------|
   |    Reported By     | Jon Moldenauer (bugs.digium.com user              |
   |                    | jmoldenhauer)                                     |
   |--------------------+---------------------------------------------------|
   |     Posted On      | August 21, 2007                                   |
   |--------------------+---------------------------------------------------|
   |  Last Updated On   | August 21, 2007                                   |
   |--------------------+---------------------------------------------------|
   |  Advisory Contact  | Russell Bryant <russell_at_digium.<!--nospam-->com>               |
   |--------------------+---------------------------------------------------|
   |      CVE Name      | CVE-2007-4455                                     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | The handling of SIP dialog history was broken during the |
   |             | development of Asterisk 1.4. Regardless of whether       |
   |             | recording SIP dialog history is turned on or off, the    |
   |             | history is still recorded in memory. Furthermore, there  |
   |             | is no upper limit on how many history items will be      |
   |             | stored for a given SIP dialog.                           |
   |             |                                                          |
   |             | It is possible for an attacker to use up all of the      |
   |             | system's memory by creating a SIP dialog that records    |
   |             | many entires in the history and never ends. It is also   |
   |             | worth noting for the sake of doing the math to calculate |
   |             | what it would take to exploit this that each SIP history |
   |             | entry will take up a maximum of 88 bytes.                |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | The fix that has been added to chan_sip is to restore the |
   |            | functionality where SIP dialog history is not recorded in |
   |            | memory if it is not enabled. Furthermore, a maximum of 50 |
   |            | entires in the history will be stored for each dialog     |
   |            | when recording history is turned on.                      |
   |            |                                                           |
   |            | The only way to avoid this problem in affected versions   |
   |            | of Asterisk is to disable chan_sip. If chan_sip is being  |
   |            | used, the system must be upgraded to a version that has   |
   |            | this issue resolved.                                      |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |             Product              |   Release   |                       |
   |                                  |   Series    |                       |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.0.x    | Not affected          |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.2.x    | Not affected          |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.4.x    | All versions prior to |
   |                                  |             | 1.4.11                |
   |----------------------------------+-------------+-----------------------|
   |    Asterisk Business Edition     |    A.x.x    | Not affected          |
   |----------------------------------+-------------+-----------------------|
   |    Asterisk Business Edition     |    B.x.x    | Not affected          |
   |----------------------------------+-------------+-----------------------|
   |           AsteriskNOW            | pre-release | All versions prior to |
   |                                  |             | beta7                 |
   |----------------------------------+-------------+-----------------------|
   | Asterisk Appliance Developer Kit |    0.x.x    | All versions prior to |
   |                                  |             | 0.8.0                 |
   |----------------------------------+-------------+-----------------------|
   |    s800i (Asterisk Appliance)    |    1.0.x    | All versions prior to |
   |                                  |             | 1.0.3                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |    Product    |                        Release                         |
   |---------------+--------------------------------------------------------|
   | Asterisk Open |                 1.4.11, available from                 |
   |    Source     |   http://downloads.digium.com/pub/telephony/asterisk   |
   |---------------+--------------------------------------------------------|
   |  AsteriskNOW  |   Beta7, available from http://www.asterisknow.org/.   |
   |               |   Beta5 and Beta6 users can update using the system    |
   |               |     update feature in the appliance control panel.     |
   |---------------+--------------------------------------------------------|
   |   Asterisk    |                 0.8.0, available from                  |
   |   Appliance   |     http://downloads.digium.com/pub/telephony/aadk     |
   | Developer Kit |                                                        |
   |---------------+--------------------------------------------------------|
   |     s800i     |                         1.0.3                          |
   |   (Asterisk   |                                                        |
   |  Appliance)   |                                                        |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |      Links       | http://bugs.digium.com/view.php?id=10421            |
   |                  |                                                     |
   |                  | http://bugs.digium.com/view.php?id=10418            |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security.                                      |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/asa/AST-2007-020.pdf and               |
   | http://downloads.digium.com/pub/asa/AST-2007-020.html.                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |        Date         |         Editor         |     Revisions Made      |
   |---------------------+------------------------+-------------------------|
   | August 21, 2007     | russell_at_digium.<!--nospam-->com     | Initial Release         |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2007-020
              Copyright (c) 2007 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.
|受影响的产品
Asterisk s800i Appliance 1.0.2 Asterisk s800i Appliance 1.0.1 Asterisk s800i Appliance 1.0 Asterisk AsteriskNow Beta 6 Asterisk AsteriskNow Beta 5 Asterisk Asterisk Appli
|参考资料

来源:FULLDISC
名称:20070821AST-2007-020:ResourceExhaustionVulnerabilityinAsteriskSIPchanneldriver
链接:http://seclists.org/fulldisclosure/2007/Aug/0393.html
来源:downloads.digium.com
链接:http://downloads.digium.com/pub/asa/AST-2007-020.html
来源:XF
名称:asterisk-sip-dialoghistory-dos(36145)
链接:http://xforce.iss.net/xforce/xfdb/36145
来源:SECTRACK
名称:1018595
链接:http://www.securitytracker.com/id?1018595
来源:BID
名称:25392
链接:http://www.securityfocus.com/bid/25392
来源:VUPEN
名称:ADV-2007-2953
链接:http://www.frsirt.com/english/advisories/2007/2953
来源:SREASON
名称:3047
链接:http://securityreason.com/securityalert/3047
来源:SECUNIA
名称:26553
链接:http://secunia.com/advisories/26553