CVE-2011-1147

Name of the Vulnerable Software and Affected Versions Asterisk Open Source versions 1.4.x through 1.4.39.1 Asterisk Open Source versions 1.6.1.x through 1.6.1.21 Asterisk Open Source versions 1.6.2.x through 1.6.2.16.1 Asterisk Open Source versions 1.8.x through 1.8.2.3 Asterisk Business Edition C.x.x through C.3.6.2 AsteriskNOW version 1.5 s800i (Asterisk Appliance)

Description The issue is caused by multiple stack-based and heap-based buffer overflows in the decode open type and udptl rx packet functions in main/udptl.c, which can be exploited by remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted UDPTL packet when T.38 support is enabled.

Recommendations For Asterisk Open Source versions 1.4.x through 1.4.39.1, update to version 1.4.39.2 or later. For Asterisk Open Source versions 1.6.1.x through 1.6.1.21, update to version 1.6.1.22 or later. For Asterisk Open Source versions 1.6.2.x through 1.6.2.16.1, update to version 1.6.2.16.2 or later. For Asterisk Open Source versions 1.8.x through 1.8.2.3, update to version 1.8.2.4 or later. For Asterisk Business Edition C.x.x through C.3.6.2, update to version C.3.6.3 or later. For AsteriskNOW version 1.5, consider upgrading to a newer version. For s800i (Asterisk Appliance), update to a patched version or apply the recommended fix.