Executive Summary
| Summary | |
|---|---|
| Title | New Asterisk packages fix arbitrary code execution |
| Informations | |||
|---|---|---|---|
| Name | DSA-1229 | First vendor Publication | 2006-12-06 |
| Vendor | Debian | Last vendor Modification | 2006-12-06 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 7.5 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Adam Boileau discovered an integer overflow in the Skinny channel driver in Asterisk, an Open Source Private Branch Exchange or telephone system, as used by Cisco SCCP phones, which allows remote attackers to execute arbitrary code. For the stable distribution (sarge) this problem has been fixed in version 1.0.7.dfsg.1-2sarge4. For the unstable distribution (sid) this problem has been fixed in version 1.2.13~dfsg-1. We recommend that you upgrade your asterisk packages. |
Original Source
| Url : http://www.debian.org/security/2006/dsa-1229 |
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2008-09-24 | Name : Gentoo Security Advisory GLSA 200610-15 (asterisk) File : nvt/glsa_200610_15.nasl |
| 2008-01-17 | Name : Debian Security Advisory DSA 1229-1 (asterisk) File : nvt/deb_1229_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 29972 | Asterisk Skinny Channel Driver (chan_skinny) get_input Function Remote Overflow A remote overflow exists in Asterisk. The function get_input in chan_skinny.c fails to check integer values resulting in a heap overflow. With a specially crafted request, an attacker can cause the service to terminate or possibly execute arbitrary code. |
Snort® IPS/IDS
| Date | Description |
|---|---|
| 2014-01-10 | Digium Asterisk data length field overflow attempt RuleID : 20670 - Revision : 7 - Type : PROTOCOL-VOIP |
| 2014-01-10 | Digium Asterisk data length field overflow attempt RuleID : 12359 - Revision : 11 - Type : PROTOCOL-VOIP |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2007-10-17 | Name : The remote openSUSE host is missing a security update. File : suse_asterisk-2272.nasl - Type : ACT_GATHER_INFO |
| 2007-02-18 | Name : The remote host is missing a vendor-supplied security patch File : suse_SA_2006_069.nasl - Type : ACT_GATHER_INFO |
| 2006-12-11 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1229.nasl - Type : ACT_GATHER_INFO |
| 2006-10-31 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200610-15.nasl - Type : ACT_GATHER_INFO |
| 2006-10-19 | Name : A telephony application running on the remote host is affected by a heap over... File : asterisk_chan_skinny_dlen_overflow.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:26:24 |
|
