SRTP Video Remote Crash Vulnerability

Home » Asterisk Users » SRTP Video Remote Crash Vulnerability
Asterisk Users 1 Comment

Asterisk Project Security Advisory – AST-2012-001

+————————————————————————+
| Product | Asterisk |
|———————-+————————————————-|
| Summary | SRTP Video Remote Crash Vulnerability |
|———————-+————————————————-|
| Nature of Advisory | Denial of Service |
|———————-+————————————————-|
| Susceptibility | Remote unauthenticated sessions |
|———————-+————————————————-|
| Severity | Moderate |
|———————-+————————————————-|
| Exploits Known | No |
|———————-+————————————————-|
| Reported On | 2012-01-15 |
|———————-+————————————————-|
| Reported By | Catalin Sanda |
|———————-+————————————————-|
| Posted On | 2012-01-19 |
|———————-+————————————————-|
| Last Updated On | January 19, 2012 |
|———————-+————————————————-|
| Advisory Contact | Joshua Colp < jcolp AT digium DOT com > |
|———————-+————————————————-|
| CVE Name | |
+————————————————————————+

+————————————————————————+
| Description | An attacker attempting to negotiate a secure video |
| | stream can crash Asterisk if video support has not been |
| | enabled and the res_srtp Asterisk module is loaded. |
+————————————————————————+

+————————————————————————+
| Resolution | Upgrade to one of the versions of Asterisk listed in the |
| | “Corrected In” section, or apply a patch specified in the |
| | “Patches” section. |
+————————————————————————+

+————————————————————————+
| Affected Versions |
|————————————————————————|
| Product | Release Series | |
|——————————-+—————-+———————–|
| Asterisk Open Source | 1.8.x | All versions |
|——————————-+—————-+———————–|
| Asterisk Open Source | 10.x | All versions |
+————————————————————————+

+————————————————————————+
| Corrected In |
|————————————————————————|
| Product | Release |
|——————————————+—————————–|
| Asterisk Open Source | 1.8.8.2 |
|——————————————+—————————–|
| Asterisk Open Source | 10.0.1 |
+————————————————————————+

+————————————————————————+
| Patches |
|————————————————————————|
| SVN URL |Branch|
|—————————————————————–+——|
|http://downloads.asterisk.org/pub/security/AST-2012-001-1.8.diff |v1.8 |
|—————————————————————–+——|
|http://downloads.asterisk.org/pub/security/AST-2012-001-10.diff |v10 |
+————————————————————————+

+————————————————————————+
| Links | https://issues.asterisk.org/jira/browse/ASTERISK-19202 |
+————————————————————————+

+————————————————————————+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2012-001.pdf and |
| http://downloads.digium.com/pub/security/AST-2012-001.html |
+————————————————————————+

+————————————————————————+
| Revision History |
|————————————————————————|
| Date | Editor | Revisions Made |
|—————–+——————–+———————————|
| 12-01-19 | Joshua Colp | Initial release |
+————————————————————————+

Asterisk Project Security Advisory – AST-2012-001
Copyright (c) 2012 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

One thought on - SRTP Video Remote Crash Vulnerability