Vulnerabilities > CVE-2007-3763 - Remote Denial of Service vulnerability in Asterisk

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
asterisk
nessus

Summary

The IAX2 channel driver (chan_iax2) in Asterisk before 1.2.22 and 1.4.x before 1.4.8, Business Edition before B.2.2.1, AsteriskNOW before beta7, Appliance Developer Kit before 0.5.0, and s800i before 1.0.2 allows remote attackers to cause a denial of service (crash) via a crafted (1) LAGRQ or (2) LAGRP frame that contains information elements of IAX frames, which results in a NULL pointer dereference when Asterisk does not properly set an associated variable.

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200802-11.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200802-11 (Asterisk: Multiple vulnerabilities) Multiple vulnerabilities have been found in Asterisk: Russel Bryant reported a stack-based buffer overflow in the IAX2 channel driver (chan_iax2) when bridging calls between chan_iax2 and any channel driver that uses RTP for media (CVE-2007-3762). Chris Clark and Zane Lackey (iSEC Partners) reported a NULL pointer dereference in the IAX2 channel driver (chan_iax2) (CVE-2007-3763). Will Drewry (Google Security) reported a vulnerability in the Skinny channel driver (chan_skinny), resulting in an overly large memcpy (CVE-2007-3764). Will Drewry (Google Security) reported a vulnerability in the IAX2 channel driver (chan_iax2), that does not correctly handle unauthenticated transactions using a 3-way handshake (CVE-2007-4103). Impact : By sending a long voice or video RTP frame, a remote attacker could possibly execute arbitrary code on the target machine. Sending specially crafted LAGRQ or LAGRP frames containing information elements of IAX frames, or a certain data length value in a crafted packet, or performing a flood of calls not completing a 3-way handshake, could result in a Denial of Service. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id31294
    published2008-02-27
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31294
    titleGLSA-200802-11 : Asterisk: Multiple vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200802-11.
    #
    # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(31294);
      script_version("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:44");
    
      script_cve_id("CVE-2007-3762", "CVE-2007-3763", "CVE-2007-3764", "CVE-2007-4103");
      script_xref(name:"GLSA", value:"200802-11");
    
      script_name(english:"GLSA-200802-11 : Asterisk: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200802-11
    (Asterisk: Multiple vulnerabilities)
    
        Multiple vulnerabilities have been found in Asterisk:
        Russel Bryant reported a stack-based buffer overflow in the IAX2 channel
        driver (chan_iax2) when bridging calls between chan_iax2 and any
        channel driver that uses RTP for media (CVE-2007-3762).
        Chris
        Clark and Zane Lackey (iSEC Partners) reported a NULL pointer
        dereference in the IAX2 channel driver (chan_iax2)
        (CVE-2007-3763).
        Will Drewry (Google Security) reported a
        vulnerability in the Skinny channel driver (chan_skinny), resulting in
        an overly large memcpy (CVE-2007-3764).
        Will Drewry (Google
        Security) reported a vulnerability in the IAX2 channel driver
        (chan_iax2), that does not correctly handle unauthenticated
        transactions using a 3-way handshake (CVE-2007-4103).
      
    Impact :
    
        By sending a long voice or video RTP frame, a remote attacker could
        possibly execute arbitrary code on the target machine. Sending
        specially crafted LAGRQ or LAGRP frames containing information elements
        of IAX frames, or a certain data length value in a crafted packet, or
        performing a flood of calls not completing a 3-way handshake, could
        result in a Denial of Service.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200802-11"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All Asterisk users should upgrade to the latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=net-misc/asterisk-1.2.17-r1'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:asterisk");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/02/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/02/27");
      script_set_attribute(attribute:"vuln_publication_date", value:"2007/07/17");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"net-misc/asterisk", unaffected:make_list("rge 1.2.17-r1", "ge 1.2.21.1-r1"), vulnerable:make_list("lt 1.2.21.1-r1"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Asterisk");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_ASTERISK-3977.NASL
    descriptionThis update fixes multiple bugs in asterisk that allowed remote attackers to crash the asterisk server or even execute arbitrary code (CVE-2007-3762, CVE-2007-3763, CVE-2007-3764).
    last seen2020-06-01
    modified2020-06-02
    plugin id27158
    published2007-10-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/27158
    titleopenSUSE 10 Security Update : asterisk (asterisk-3977)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update asterisk-3977.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(27158);
      script_version ("1.13");
      script_cvs_date("Date: 2019/10/25 13:36:29");
    
      script_cve_id("CVE-2007-3762", "CVE-2007-3763", "CVE-2007-3764");
    
      script_name(english:"openSUSE 10 Security Update : asterisk (asterisk-3977)");
      script_summary(english:"Check for the asterisk-3977 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update fixes multiple bugs in asterisk that allowed remote
    attackers to crash the asterisk server or even execute arbitrary code
    (CVE-2007-3762, CVE-2007-3763, CVE-2007-3764)."
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected asterisk package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:asterisk");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2007/07/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE10\.1|SUSE10\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.1 / 10.2", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE10.1", reference:"asterisk-1.2.5-12.15") ) flag++;
    if ( rpm_check(release:"SUSE10.2", reference:"asterisk-1.2.13-25") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "asterisk");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1358.NASL
    descriptionSeveral remote vulnerabilities have been discovered in Asterisk, a free software PBX and telephony toolkit. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-1306
    last seen2020-06-01
    modified2020-06-02
    plugin id25938
    published2007-08-28
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/25938
    titleDebian DSA-1358-1 : asterisk - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1358. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(25938);
      script_version("1.22");
      script_cvs_date("Date: 2019/08/02 13:32:20");
    
      script_cve_id("CVE-2007-1306", "CVE-2007-1561", "CVE-2007-2294", "CVE-2007-2297", "CVE-2007-2488", "CVE-2007-3762", "CVE-2007-3763", "CVE-2007-3764");
      script_xref(name:"DSA", value:"1358");
    
      script_name(english:"Debian DSA-1358-1 : asterisk - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several remote vulnerabilities have been discovered in Asterisk, a
    free software PBX and telephony toolkit. The Common Vulnerabilities
    and Exposures project identifies the following problems :
    
      - CVE-2007-1306
        'Mu Security' discovered that a NULL pointer dereference
        in the SIP implementation could lead to denial of
        service.
    
      - CVE-2007-1561
        Inria Lorraine discovered that a programming error in
        the SIP implementation could lead to denial of service.
    
      - CVE-2007-2294
        It was discovered that a NULL pointer dereference in the
        manager interface could lead to denial of service.
    
      - CVE-2007-2297
        It was discovered that a programming error in the SIP
        implementation could lead to denial of service.
    
      - CVE-2007-2488
        Tim Panton and Birgit Arkestein discovered that a
        programming error in the IAX2 implementation could lead
        to information disclosure.
    
      - CVE-2007-3762
        Russell Bryant discovered that a buffer overflow in the
        IAX implementation could lead to the execution of
        arbitrary code.
    
      - CVE-2007-3763
        Chris Clark and Zane Lackey discovered that several NULL
        pointer dereferences in the IAX2 implementation could
        lead to denial of service.
    
      - CVE-2007-3764
        Will Drewry discovered that a programming error in the
        Skinny implementation could lead to denial of service."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-1306"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-1561"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-2294"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-2297"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-2488"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-3762"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-3763"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-3764"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2007/dsa-1358"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the Asterisk packages.
    
    For the oldstable distribution (sarge) these problems have been fixed
    in version 1.0.7.dfsg.1-2sarge5.
    
    For the stable distribution (etch) these problems have been fixed in
    version 1:1.2.13~dfsg-2etch1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2007/08/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/08/28");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.1", prefix:"asterisk", reference:"1.0.7.dfsg.1-2sarge5")) flag++;
    if (deb_check(release:"3.1", prefix:"asterisk-config", reference:"1.0.7.dfsg.1-2sarge5")) flag++;
    if (deb_check(release:"3.1", prefix:"asterisk-dev", reference:"1.0.7.dfsg.1-2sarge5")) flag++;
    if (deb_check(release:"3.1", prefix:"asterisk-doc", reference:"1.0.7.dfsg.1-2sarge5")) flag++;
    if (deb_check(release:"3.1", prefix:"asterisk-gtk-console", reference:"1.0.7.dfsg.1-2sarge5")) flag++;
    if (deb_check(release:"3.1", prefix:"asterisk-h323", reference:"1.0.7.dfsg.1-2sarge5")) flag++;
    if (deb_check(release:"3.1", prefix:"asterisk-sounds-main", reference:"1.0.7.dfsg.1-2sarge5")) flag++;
    if (deb_check(release:"3.1", prefix:"asterisk-web-vmail", reference:"1.0.7.dfsg.1-2sarge5")) flag++;
    if (deb_check(release:"4.0", prefix:"asterisk", reference:"1:1.2.13~dfsg-2etch1")) flag++;
    if (deb_check(release:"4.0", prefix:"asterisk-bristuff", reference:"1:1.2.13~dfsg-2etch1")) flag++;
    if (deb_check(release:"4.0", prefix:"asterisk-classic", reference:"1:1.2.13~dfsg-2etch1")) flag++;
    if (deb_check(release:"4.0", prefix:"asterisk-config", reference:"1:1.2.13~dfsg-2etch1")) flag++;
    if (deb_check(release:"4.0", prefix:"asterisk-dev", reference:"1:1.2.13~dfsg-2etch1")) flag++;
    if (deb_check(release:"4.0", prefix:"asterisk-doc", reference:"1:1.2.13~dfsg-2etch1")) flag++;
    if (deb_check(release:"4.0", prefix:"asterisk-h323", reference:"1:1.2.13~dfsg-2etch1")) flag++;
    if (deb_check(release:"4.0", prefix:"asterisk-sounds-main", reference:"1:1.2.13~dfsg-2etch1")) flag++;
    if (deb_check(release:"4.0", prefix:"asterisk-web-vmail", reference:"1:1.2.13~dfsg-2etch1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/58211/asa-2007-015.rb.txt
idPACKETSTORM:58211
last seen2016-12-05
published2007-08-01
reportertenkei_ev
sourcehttps://packetstormsecurity.com/files/58211/asa-2007-015.rb.txt.html
titleasa-2007-015.rb.txt

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 24950 CVE(CAN) ID: CVE-2007-3763,CVE-2007-3764,CVE-2007-3765 Asterisk是开放源码的软件PBX,支持各种VoIP协议和设备。 Asterisk IAX2的隧道驱动(chan_iax2)中存在拒绝服务漏洞。如果Asterisk在有效会话中接收到了LAGRQ或LAGRP帧,就可能触发空指针异常。负责解析入站帧的代码可以正确地解析IAX帧中的信息单元,然后将指针设置为空表示没有与这个帧相关的原始数据负载,但没有将原始负载中用于表示字节数的变量设置为0。由于原始数据长度为非0,处理LAGRQ和LAGRP帧的代码就会试图从空指针拷贝数据,导致崩溃。 Asterisk轻型隧道驱动(chan_skinny)中存在拒绝服务漏洞。如果Asterisk所接收到的报文声明长度为0到3之间,之后为所声明长度+ 4或更多字节,则由于超长的memcpy可能会导致出现分段错误。 Asterisk在RTP栈的STUN实现中存在拒绝服务漏洞。如果Asterisk在活动的RTP端口上接收到了特制的STUN报文的话,指针就可能超过可访问的内存。负责解析入站STUN报文的代码无法确认表示STUN属性的长度和STUN属性头大小是否超过了可用的数据,因此数据指针可能超过可访问的内存,导致崩溃。成功攻击要求启用了chan_sip、chan_gtalk、chan_jingle、chan_h323、chan_mgcp或chan_skinny。 Asterisk Asterisk 1.4.x Asterisk Asterisk 1.2.x Asterisk Asterisk 1.0.x Asterisk Business Edition B.x.x Asterisk Business Edition A.x.x Asterisk AsteriskNOW &lt; beta7 Asterisk Appliance Developer Kit 0.x.x Asterisk s800i 1.0.x 临时解决方法: * 向/etc/asterisk/modules.conf中添加noload =&gt; chan_skinny.so,然后重启Asterisk。 厂商补丁: Asterisk -------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href="ftp://ftp.digium.com/pub/telephony/asterisk" target="_blank">ftp://ftp.digium.com/pub/telephony/asterisk</a> <a href="http://www.asterisknow.org/" target="_blank">http://www.asterisknow.org/</a> <a href="ftp://ftp.digium.com/pub/telephony/aadk/" target="_blank">ftp://ftp.digium.com/pub/telephony/aadk/</a>
idSSV:2027
last seen2017-11-19
modified2007-07-20
published2007-07-20
reporterRoot
titleAsterisk多个远程拒绝服务漏洞