Vigil@nce: Asterisk, denial of service via IAX2
December 2008 by Vigil@nce
An attacker can stop Asterix during the IAX2 authentication.
– Gravity: 2/4
– Consequences: denial of service of service
– Provenance: internet client
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 11/12/2008
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION
The Asterisk product implements the IAX2 protocol (Inter-Asterisk
Exchange version 2) to transmit streaming over IP.
Asterisk can be configured with realtime users. In this case, the
realtime_peer() function of the channels/chan_iax2.c file calls
ast_load_realtime(). However, a parameter is missing. Indeed,
ast_load_realtime() is defined with the following prototype:
ast_load_realtime(const char * family, ...);
The compiler thus does not detect if a parameter is missing. When
ast_load_realtime() uses this parameter (which is a pointer),
Asterisk stops.
This error occurs when the user tries to authenticate:
– if his username is unknown
– if he uses a filter on the hostname
An attacker can therefore create a denial of service in Asterisk
during the IAX2 authentication.
CHARACTERISTICS
– Identifiers: AST-2008-012, BID-32773, VIGILANCE-VUL-8325
– Url: http://vigilance.fr/vulnerability/8325