Vulnerability Note VU#228032

Asterisk null pointer dereference remote pre-authentication DoS vulnerability

Overview

Asterisk contains a null pointer dereference vulnerability that may allow a remote, unauthenticated attacker to cause a denial-of-service condition on a vulnerable system.

I. Description

Asterisk is a popular PBX application with VoIP support. Asterisk contains a null pointer dereference vulnerability that can allow a remote, unauthenticated attacker to crash the Asterisk server software with a specially crafted Session Initiation Protocol (SIP) packet (typically udp/5060).

II. Impact

A remote, unauthenticated attacker may be able to cause a denial of service on a vulnerable server.

III. Solution

Apply an update

This issue is addressed in Asterisk versions 1.4.1 and 1.2.16.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Asterisk	Vulnerable	5-Mar-2007

References

http://asterisk.org/node/48320
http://asterisk.org/node/48319
http://secunia.com/advisories/24380/
http://labs.musecurity.com/advisories/MU-200703-01.txt
http://secunia.com/advisories/24427/
http://securitytracker.com/id?1017723
http://www.securityfocus.com/bid/22838

Credit

This vulnerability was reported by the Mu Security research team.

This document was written by Will Dormann.

Other Information

Date Public:	2007-03-04
Date First Published:	2007-03-05
Date Last Updated:	2007-03-19
CERT Advisory:
CVE-ID(s):	CVE-2007-1306
NVD-ID(s):	CVE-2007-1306
US-CERT Technical Alerts:
Metric:	7.85
Document Revision:	12

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Produced 2007 by US-CERT, a government organization
Disclaimers and copyright information

Get Adobe Reader