Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

             Asterisk Project Security Advisory - AST-2011-001
                              21 January 2011


        AusCERT Security Bulletin Summary

Product:           Asterisk Open Source
                   Asterisk Business Edition
                   s800i (Asterisk Appliance)
Publisher:         Digium
Operating System:  UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2011-0495  

Original Bulletin: 

Revision History:  January 21 2011: Added CVE Name and Changed to for fix versions
                   January 19 2011: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

               Asterisk Project Security Advisory - AST-2011-001

         Product        Asterisk                                              
         Summary        Stack buffer overflow in SIP channel driver           
    Nature of Advisory  Exploitable Stack Buffer Overflow                     
      Susceptibility    Remote Authenticated Sessions                         
         Severity       Moderate                                              
      Exploits Known    No                                                    
       Reported On      January 11, 2011                                      
       Reported By      Matthew Nicholson                                     
        Posted On       January 18, 2011                                      
     Last Updated On    January 20, 2011                                      
     Advisory Contact   Matthew Nicholson <mnicholson@digium.com>             
         CVE Name       CVE-2011-0495

   Description When forming an outgoing SIP request while in pedantic mode, a 
               stack buffer can be made to overflow if supplied with          
               carefully crafted caller ID information. This vulnerability    
               also affects the URIENCODE dialplan function and in some       
               versions of asterisk, the AGI dialplan application as well.    
               The ast_uri_encode function does not properly respect the size 
               of its output buffer and can write past the end of it when     
               encoding URIs.                                                 

   Resolution The size of the output buffer passed to the ast_uri_encode      
              function is now properly respected.                             
              In asterisk versions not containing the fix for this issue,     
              limiting strings originating from remote sources that will be   
              URI encoded to a length of 40 characters will protect against   
              this vulnerability.                                             
              exten => s,1,Set(CALLERID(num)=${CALLERID(num):0:40})           
              exten => s,n,Set(CALLERID(name)=${CALLERID(name):0:40})         
              exten => s,n,Dial(SIP/channel)                                  
              The CALLERID(num) and CALLERID(name) channel values, and any    
              strings passed to the URIENCODE dialplan function should be     
              limited in this manner.                                         

                               Affected Versions
                Product              Release Series 
         Asterisk Open Source            1.2.x      All versions              
         Asterisk Open Source            1.4.x      All versions              
         Asterisk Open Source            1.6.x      All versions              
         Asterisk Open Source            1.8.x      All versions              
       Asterisk Business Edition         C.x.x      All versions              
              AsteriskNOW                 1.5       All versions              
      s800i (Asterisk Appliance)         1.2.x      All versions              

                                  Corrected In
            Product                              Release                      
     Asterisk Open Source,,,,     
   Asterisk Business Edition                     C.3.6.2                      

                                   URL                                 Branch 
   http://downloads.asterisk.org/pub/security/AST-2011-001-1.4.diff    1.4    
   http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.1.diff  1.6.1  
   http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.2.diff  1.6.2  
   http://downloads.asterisk.org/pub/security/AST-2011-001-1.8.diff    1.8    

   Asterisk Project Security Advisories are posted at                         
   This document may be superseded by later versions; if so, the latest       
   version will be posted at                                                  
   http://downloads.digium.com/pub/security/AST-2011-001.pdf and              

                                Revision History
         Date                 Editor                  Revisions Made          
   2011-01-18        Matthew Nicholson        Initial Release                 
   2011-01-19        Matthew Nicholson        Added CVE Name
   2011-01-20        Matthew Nicholson        Changed to for 
                                              fix versions

               Asterisk Project Security Advisory - AST-2011-001
              Copyright (c) 2011 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967