CVE-2009-2726
Asterisk Project Security Advisory - Driver Crash
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The SIP channel driver in Asterisk Open Source 1.2.x before 1.2.34, 1.4.x before 1.4.26.1, 1.6.0.x before 1.6.0.12, and 1.6.1.x before 1.6.1.4; Asterisk Business Edition A.x.x, B.x.x before B.2.5.9, C.2.x before C.2.4.1, and C.3.x before C.3.1; and Asterisk Appliance s800i 1.2.x before 1.3.0.3 does not use a maximum width when invoking sscanf style functions, which allows remote attackers to cause a denial of service (stack memory consumption) via SIP packets containing large sequences of ASCII decimal characters, as demonstrated via vectors related to (1) the CSeq value in a SIP header, (2) large Content-Length value, and (3) SDP.
El driver SIP channel en Asterisk Open Source v1.2.x anterior a v1.2.34, v1.4.x anterior a v1.4.26.1, v1.6.0.x anterior a v1.6.0.12, y v1.6.1.x anterior a v1.6.1.4; Asterisk Business Edition vA.x.x, vB.x.x anterior a vB.2.5.9, vC.2.x anterior a vC.2.4.1, y vC.3.x anterior a vC.3.1; y Asterisk Appliance s800i v1.2.x anterior a v1.3.0.3, no utiliza el ancho máximo cuando se invocan las funciones de estilo sscanf, lo que permite a atacantes remotos producir una denegación de servicio (agotamiento de la pila de memoria) a través de paquetes SIP que contienen secuencias largas de caracteres ASCII decimales, como se demostró a través de vectores relacionados con (1) el valor CSeq en una cabecera SIP, (2) valores Content-Length, y (3) SDP.
On certain implementations of libc, the scanf family of functions uses an unbounded amount of stack memory to repeatedly allocate string buffers prior to conversion to the target type. Coupled with Asterisk's allocation of thread stack sizes that are smaller than the default, an attacker may exhaust stack memory in the SIP stack network thread by presenting excessively long numeric strings in various fields.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2009-08-10 CVE Reserved
- 2009-08-11 CVE Published
- 2024-08-07 CVE Updated
- 2024-08-07 First Exploit
- 2025-05-28 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| http://downloads.digium.com/pub/security/AST-2009-005.html | Product | |
| http://labs.mudynamics.com/advisories/MU-200908-01.txt | Broken Link | |
| http://www.securityfocus.com/archive/1/505669/100/0/threaded | Broken Link | |
| http://www.securitytracker.com/id?1022705 | Broken Link |
| URL | Date | SRC |
|---|---|---|
| http://www.securityfocus.com/bid/36015 | 2024-08-07 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://secunia.com/advisories/36227 | 2024-02-15 | |
| http://www.vupen.com/english/advisories/2009/2229 | 2024-02-15 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Digium Search vendor "Digium" | S800i Firmware Search vendor "Digium" for product "S800i Firmware" | >= 1.2.0 < 1.3.0.3 Search vendor "Digium" for product "S800i Firmware" and version " >= 1.2.0 < 1.3.0.3" | - |
Affected
| in | Digium Search vendor "Digium" | S800i Search vendor "Digium" for product "S800i" | - | - |
Safe
|
| Digium Search vendor "Digium" | Asterisk Search vendor "Digium" for product "Asterisk" | < b.2.5.9 Search vendor "Digium" for product "Asterisk" and version " < b.2.5.9" | business |
Affected
| ||||||
| Digium Search vendor "Digium" | Asterisk Search vendor "Digium" for product "Asterisk" | >= c.2.0 <= c.2.4.1 Search vendor "Digium" for product "Asterisk" and version " >= c.2.0 <= c.2.4.1" | business |
Affected
| ||||||
| Digium Search vendor "Digium" | Asterisk Search vendor "Digium" for product "Asterisk" | >= c.3.0 < c.3.1 Search vendor "Digium" for product "Asterisk" and version " >= c.3.0 < c.3.1" | business |
Affected
| ||||||
| Digium Search vendor "Digium" | Asterisk Search vendor "Digium" for product "Asterisk" | >= 1.2.0 < 1.2.34 Search vendor "Digium" for product "Asterisk" and version " >= 1.2.0 < 1.2.34" | - |
Affected
| ||||||
| Digium Search vendor "Digium" | Asterisk Search vendor "Digium" for product "Asterisk" | >= 1.4.0 < 1.4.26.1 Search vendor "Digium" for product "Asterisk" and version " >= 1.4.0 < 1.4.26.1" | - |
Affected
| ||||||
| Digium Search vendor "Digium" | Asterisk Search vendor "Digium" for product "Asterisk" | >= 1.6.0 < 1.6.0.12 Search vendor "Digium" for product "Asterisk" and version " >= 1.6.0 < 1.6.0.12" | - |
Affected
| ||||||
| Digium Search vendor "Digium" | Asterisk Search vendor "Digium" for product "Asterisk" | >= 1.6.1 < 1.6.1.4 Search vendor "Digium" for product "Asterisk" and version " >= 1.6.1 < 1.6.1.4" | - |
Affected
| ||||||