Vulnerabilities > CVE-2007-1594 - Remote Denial of Service vulnerability in Asterisk SIP Channel Driver Response Code Zero
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
COMPLETE Summary
The handle_response function in chan_sip.c in Asterisk before 1.2.17 and 1.4.x before 1.4.2 allows remote attackers to cause a denial of service (crash) via a SIP Response code 0 in a SIP packet.
Vulnerable Configurations
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200704-01.NASL description The remote host is affected by the vulnerability described in GLSA-200704-01 (Asterisk: Two SIP Denial of Service vulnerabilities) The Madynes research team at INRIA has discovered that Asterisk contains a NULL pointer dereferencing error in the SIP channel when handling INVITE messages. Furthermore qwerty1979 discovered that Asterisk 1.2.x fails to properly handle SIP responses with return code 0. Impact : A remote attacker could cause an Asterisk server listening for SIP messages to crash by sending a specially crafted SIP message or answering with a 0 return code. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 24934 published 2007-04-05 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24934 title GLSA-200704-01 : Asterisk: Two SIP Denial of Service vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200704-01. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(24934); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:32:44"); script_cve_id("CVE-2007-1561", "CVE-2007-1594"); script_xref(name:"GLSA", value:"200704-01"); script_name(english:"GLSA-200704-01 : Asterisk: Two SIP Denial of Service vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200704-01 (Asterisk: Two SIP Denial of Service vulnerabilities) The Madynes research team at INRIA has discovered that Asterisk contains a NULL pointer dereferencing error in the SIP channel when handling INVITE messages. Furthermore qwerty1979 discovered that Asterisk 1.2.x fails to properly handle SIP responses with return code 0. Impact : A remote attacker could cause an Asterisk server listening for SIP messages to crash by sending a specially crafted SIP message or answering with a 0 return code. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200704-01" ); script_set_attribute( attribute:"solution", value: "All Asterisk users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose net-misc/asterisk Note: Asterisk 1.0.x is no longer supported upstream so users should consider upgrading to Asterisk 1.2.x." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:asterisk"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2007/04/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/04/05"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/03/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"net-misc/asterisk", unaffected:make_list("ge 1.2.14-r2", "rge 1.0.12-r2"), vulnerable:make_list("lt 1.2.14-r2"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Asterisk"); }NASL family SuSE Local Security Checks NASL id SUSE_ASTERISK-3543.NASL description This update fixes multiple bugs that allowed attackers to remotely crash asterisk or cause an information leak (CVE-2007-1561, CVE-2007-1594, CVE-2007-1595, CVE-2007-2297, CVE-2007-2488). last seen 2020-06-01 modified 2020-06-02 plugin id 27157 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27157 title openSUSE 10 Security Update : asterisk (asterisk-3543) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update asterisk-3543. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(27157); script_version ("1.13"); script_cvs_date("Date: 2019/10/25 13:36:29"); script_cve_id("CVE-2007-1561", "CVE-2007-1594", "CVE-2007-1595", "CVE-2007-2297", "CVE-2007-2488"); script_name(english:"openSUSE 10 Security Update : asterisk (asterisk-3543)"); script_summary(english:"Check for the asterisk-3543 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update fixes multiple bugs that allowed attackers to remotely crash asterisk or cause an information leak (CVE-2007-1561, CVE-2007-1594, CVE-2007-1595, CVE-2007-2297, CVE-2007-2488)." ); script_set_attribute( attribute:"solution", value:"Update the affected asterisk package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:asterisk"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.2"); script_set_attribute(attribute:"patch_publication_date", value:"2007/06/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE10\.1|SUSE10\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.1 / 10.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE10.1", reference:"asterisk-1.2.5-12.12") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"asterisk-1.2.13-23") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "asterisk"); }
References
- http://bugs.digium.com/view.php?id=9313
- http://secunia.com/advisories/24579
- http://secunia.com/advisories/24719
- http://secunia.com/advisories/25582
- http://security.gentoo.org/glsa/glsa-200704-01.xml
- http://svn.digium.com/view/asterisk/trunk/channels/chan_sip.c?r1=58907&r2=59038
- http://voipsa.org/pipermail/voipsec_voipsa.org/2007-March/002275.html
- http://www.asterisk.org/node/48338
- http://www.novell.com/linux/security/advisories/2007_34_asterisk.html
- http://www.securityfocus.com/archive/1/463434/100/0/threaded
- http://www.securityfocus.com/bid/23093
- http://www.securitytracker.com/id?1017809
- http://www.sineapps.com/news.php?rssid=1707
- http://www.vupen.com/english/advisories/2007/1077