BID:25228

Asterisk Skinny Channel Driver Remote Denial of Service Vulnerability

Info

Asterisk Skinny Channel Driver Remote Denial of Service Vulnerability

Bugtraq ID:	25228
Class:	Failure to Handle Exceptional Conditions
CVE:	CVE-2007-4280
Remote:	Yes
Local:	No
Published:	Aug 07 2007 12:00AM
Updated:	May 07 2015 05:36PM
Credit:	Wei Wang is credited with the discovery of this vulnerability.
Vulnerable:	Asterisk s800i Appliance 1.0.2 Asterisk s800i Appliance 1.0.1 Asterisk s800i Appliance 1.0 Asterisk AsteriskNow Beta 6 Asterisk AsteriskNow Beta 5 Asterisk Asterisk Appliance Developer Kit 0.6 Asterisk Asterisk Appliance Developer Kit 0.5 Asterisk Asterisk Appliance Developer Kit 0.4 Asterisk Asterisk Appliance Developer Kit 0.3 Asterisk Asterisk Appliance Developer Kit 0.2 Asterisk Asterisk 1.4.9 Asterisk Asterisk 1.4.8 Asterisk Asterisk 1.4.7 Asterisk Asterisk 1.4.4 Asterisk Asterisk 1.4.3 Asterisk Asterisk 1.4.2 Asterisk Asterisk 1.4.1 Asterisk Asterisk 1.4 Beta

Not Vulnerable:	Asterisk s800i Appliance 1.0.3 Asterisk AsteriskNow Beta 7 Asterisk Asterisk Appliance Developer Kit 0.7 Asterisk Asterisk 1.4.10 Asterisk Asterisk 1.2.22 Asterisk Asterisk 1.2.21 Asterisk Asterisk 1.2.19 Asterisk Asterisk 1.2.18 Asterisk Asterisk 1.2.17 Asterisk Asterisk 1.2.16 Asterisk Asterisk 1.2.15 Asterisk Asterisk 1.2.14 Asterisk Asterisk 1.2.13 Asterisk Asterisk 1.2.11 Asterisk Asterisk 1.2.10 Asterisk Asterisk 1.2.9 Asterisk Asterisk 1.2.8 Asterisk Asterisk 1.2.7 Asterisk Asterisk 1.2.6 Asterisk Asterisk 1.2.5 Asterisk Asterisk 1.2 .0-beta2 Asterisk Asterisk 1.2 .0-beta1 Asterisk Asterisk 1.0.12 Asterisk Asterisk 1.0.11 Asterisk Asterisk 1.0.10 Asterisk Asterisk 1.0.9 Asterisk Asterisk 1.0.8 Asterisk Asterisk 1.0.7 Asterisk Asterisk 1.0.6 Asterisk Asterisk 1.0

Discussion

Asterisk Skinny Channel Driver Remote Denial of Service Vulnerability

Asterisk is prone to a remote denial-of-service vulnerability because the application fails to properly handle certain specially crafted packets.

Exploiting this issue allows remote attackers to cause the application to crash, effectively denying service to legitimate users.

These versions are vulnerable:

Asterisk Open Source prior to 1.4.10
AsteriskNOW pre-release prior to beta7
Asterisk Appliance Developer Kit prior to 0.7.0
Asterisk s800i (Asterisk Appliance) prior to 1.0.3

Exploit / POC

Asterisk Skinny Channel Driver Remote Denial of Service Vulnerability

To exploit this issue, attackers may use readily available network utilities.

Solution / Fix

Asterisk Skinny Channel Driver Remote Denial of Service Vulnerability

Solution:
The vendor released an advisory and fixes to address this issue. Please see the references for more information.

Asterisk Asterisk 1.4 Beta