lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1PzzY1-00079e-94@mail.digium.com>
Date: Wed, 16 Mar 2011 17:50:33 -0500
From: "Asterisk Security Team" <security@...erisk.org>
To: full-disclosure@...ts.grok.org.uk
Subject: AST-2011-003:

   Product            Asterisk                                                
   Summary            Resource exhaustion in Asterisk Manager Interface       
   Nature of Advisory Denial of Service                                       
   Susceptibility     Remote Unauthenticated Sessions if manager interface is 
                      accessible                                              
   Severity           Moderate                                                
   Exploits Known     No                                                      
   Reported On        March 1, 2011                                           
   Reported By        Blake Cornell <blake@...oteorigin.com>
   Posted On          March 16, 2011                                          
   Last Updated On    March 14, 2011                                          
   Advisory Contact   Terry Wilson <twilson@...ium.com>                       

    

               Rapidly opening manager connections, sending invalid data, and 
   Description closing the connection can cause Asterisk to exhaust available 
               CPU and memory resources. The manager interface is disabled by 
               default.                                                       

    

   Resolution Failed writes to manager clients are flagged and the connection 
              closed.                                                         

    

   Affected Versions                 
   Product                           Release Series                           
   Asterisk Open Source              1.6.1.x         All versions             
   Asterisk Open Source              1.6.2.x         All versions             
   Asterisk Open Source              1.8.x           All versions             

    

   Corrected In                     
   Product                          Release                                   
   Asterisk Open Source             1.6.1.23, 1.6.2.17.1, 1.8.3.1             
                                                                              
                                                                              

   Patches                                                             
   URL                                                                 Branch 
   http://downloads.asterisk.org/pub/security/AST-2011-003-1.6.1.diff  1.6.1  
   http://downloads.asterisk.org/pub/security/AST-2011-003-1.6.2.diff  1.6.2  
   http://downloads.asterisk.org/pub/security/AST-2011-003-1.8.diff    1.8    

    

    

   Links                                                                      

    

   Asterisk Project Security Advisories are posted at                         
   http://www.asterisk.org/security                                           
                                                                              
   This document may be superseded by later versions; if so, the latest       
   version will be posted at                                                  
   http://downloads.digium.com/pub/security/AST-2011-003.pdf and              
   http://downloads.digium.com/pub/security/AST-2011-003.html                 

    

   Revision History       
   Date                   Editor                   Revisions Made             
   2011-03-14             Terry Wilson             Initial release            

    

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ