Asterisk ManagerInterface Manager.Conf Remote Denial of Service Vulnerability

Bugtraq ID:	23649
Class:	Failure to Handle Exceptional Conditions
CVE:	CVE-2007-2294
Remote:	Yes
Local:	No
Published:	Apr 25 2007 12:00AM
Updated:	Aug 28 2007 11:02PM
Credit:	Michael Spruel, Jeremy Lee, and Peter Nguyen of L.A. Fitness International are credited with the discovery of this vulnerability.
Vulnerable:	SuSE Linux 10.1 Debian Linux 3.1 sparc Debian Linux 3.1 s/390 Debian Linux 3.1 ppc Debian Linux 3.1 mipsel Debian Linux 3.1 mips Debian Linux 3.1 m68k Debian Linux 3.1 ia-64 Debian Linux 3.1 ia-32 Debian Linux 3.1 hppa Debian Linux 3.1 arm Debian Linux 3.1 amd64 Debian Linux 3.1 alpha Debian Linux 3.1 Debian Linux 4.0 sparc Debian Linux 4.0 s/390 Debian Linux 4.0 powerpc Debian Linux 4.0 mipsel Debian Linux 4.0 mips Debian Linux 4.0 m68k Debian Linux 4.0 ia-64 Debian Linux 4.0 ia-32 Debian Linux 4.0 hppa Debian Linux 4.0 arm Debian Linux 4.0 amd64 Debian Linux 4.0 alpha Debian Linux 4.0 Asterisk Asterisk Business Edition B.1.3.3 Asterisk Asterisk Business Edition B.1.3.2 Asterisk Asterisk Business Edition A Asterisk Asterisk 1.4.2 Asterisk Asterisk 1.4.1 Asterisk Asterisk 1.2.17 Asterisk Asterisk 1.2.16 Asterisk Asterisk 1.2.15 Asterisk Asterisk 1.2.14 Asterisk Asterisk 1.2.13 Asterisk Asterisk 1.2.11 Asterisk Asterisk 1.2.11 Asterisk Asterisk 1.2.10 Asterisk Asterisk 1.2.9 Asterisk Asterisk 1.2.8 Asterisk Asterisk 1.2.7 Asterisk Asterisk 1.2.6 Asterisk Asterisk 1.2.5 Asterisk Asterisk 1.2 .0-beta2 Asterisk Asterisk 1.2 .0-beta1 Asterisk Asterisk 1.0.12 Asterisk Asterisk 1.0.11 Asterisk Asterisk 1.0.10 Asterisk Asterisk 1.0.9 Asterisk Asterisk 1.0.8 Asterisk Asterisk 1.0.7 Asterisk Asterisk 1.0.6 Asterisk Asterisk 1.0 Asterisk Asterisk 0.3 Asterisk Asterisk 0.2 Asterisk Asterisk 0.1.9 -1 Asterisk Asterisk 0.1.9 Asterisk Asterisk 0.1.8 Asterisk Asterisk 0.1.7 Asterisk Asterisk 1.4 Beta
Not Vulnerable:	Asterisk AsteriskNow Beta 5 Asterisk Asterisk 1.4.3 Asterisk Asterisk 1.2.18 Asterisk Asterisk 0.4

Asterisk ManagerInterface Manager.Conf Remote Denial of Service Vulnerability

Asterisk is prone to a remote denial-of-service vulnerability because the application fails to properly handle exceptional conditions.

Exploiting this issue allows remote attackers to cause the application to crash, effectively denying service to legitimate users.

Asterisk ManagerInterface Manager.Conf Remote Denial of Service Vulnerability

An attacker can exploit this issue by using the Asterisk manager interface.

The following exploit is available:

• /data/vulnerabilities/exploits/23648.txt

Asterisk ManagerInterface Manager.Conf Remote Denial of Service Vulnerability

Solution:
The vendor released updates to address this issue. Please see the references for more information.


Asterisk Asterisk 1.4 Beta

• Asterisk asterisk-1.4.3.tar.gz
  http://ftp.digium.com/pub/asterisk/releases/asterisk-1.4.3.tar.gz

Asterisk Asterisk 1.2 .0-beta1

• Asterisk asterisk-1.2.18.tar.gz
  http://ftp.digium.com/pub/asterisk/releases/asterisk-1.2.18.tar.gz

Asterisk Asterisk 1.2 .0-beta2

• Asterisk asterisk-1.2.18.tar.gz
  http://ftp.digium.com/pub/asterisk/releases/asterisk-1.2.18.tar.gz

Asterisk Asterisk 1.2.10

• Asterisk asterisk-1.2.18.tar.gz
  http://ftp.digium.com/pub/asterisk/releases/asterisk-1.2.18.tar.gz

Asterisk Asterisk 1.2.11

• Asterisk asterisk-1.2.18.tar.gz
  http://ftp.digium.com/pub/asterisk/releases/asterisk-1.2.18.tar.gz

Asterisk Asterisk 1.2.11

• Asterisk asterisk-1.2.18.tar.gz
  http://ftp.digium.com/pub/asterisk/releases/asterisk-1.2.18.tar.gz

Asterisk Asterisk 1.2.13

• Asterisk asterisk-1.2.18.tar.gz
  http://ftp.digium.com/pub/asterisk/releases/asterisk-1.2.18.tar.gz

Asterisk Asterisk 1.2.14

• Asterisk asterisk-1.2.18.tar.gz
  http://ftp.digium.com/pub/asterisk/releases/asterisk-1.2.18.tar.gz

Asterisk Asterisk 1.2.15

• Asterisk asterisk-1.2.18.tar.gz
  http://ftp.digium.com/pub/asterisk/releases/asterisk-1.2.18.tar.gz

Asterisk Asterisk 1.2.16

• Asterisk asterisk-1.2.18.tar.gz
  http://ftp.digium.com/pub/asterisk/releases/asterisk-1.2.18.tar.gz

Asterisk Asterisk 1.2.17

• Asterisk asterisk-1.2.18.tar.gz
  http://ftp.digium.com/pub/asterisk/releases/asterisk-1.2.18.tar.gz

Asterisk Asterisk 1.2.5

• Asterisk asterisk-1.2.18.tar.gz
  http://ftp.digium.com/pub/asterisk/releases/asterisk-1.2.18.tar.gz

Asterisk Asterisk 1.2.6

• Asterisk asterisk-1.2.18.tar.gz
  http://ftp.digium.com/pub/asterisk/releases/asterisk-1.2.18.tar.gz

Asterisk Asterisk 1.2.7

• Asterisk asterisk-1.2.18.tar.gz
  http://ftp.digium.com/pub/asterisk/releases/asterisk-1.2.18.tar.gz

Asterisk Asterisk 1.2.8

• Asterisk asterisk-1.2.18.tar.gz
  http://ftp.digium.com/pub/asterisk/releases/asterisk-1.2.18.tar.gz

Asterisk Asterisk 1.2.9

• Asterisk asterisk-1.2.18.tar.gz
  http://ftp.digium.com/pub/asterisk/releases/asterisk-1.2.18.tar.gz

Asterisk Asterisk 1.4.1

• Asterisk asterisk-1.4.3.tar.gz
  http://ftp.digium.com/pub/asterisk/releases/asterisk-1.4.3.tar.gz

Asterisk Asterisk 1.4.2

• Asterisk asterisk-1.4.3.tar.gz
  http://ftp.digium.com/pub/asterisk/releases/asterisk-1.4.3.tar.gz

Asterisk ManagerInterface Manager.Conf Remote Denial of Service Vulnerability

References:

• Asterisk Homepage (Asterisk)
  
• Asterisk Project Security Advisory - ASA-2007-012 (Asterisk )
  
• ASA-2007-012: Remote Crash Vulnerability in Manager Interface ("Kevin P. Fleming" )