Executive Summary

Summary
Title End-of-life announcement for asterisk in oldstable
Informations
Name DSA-1952 First vendor Publication 2009-12-15
Vendor Debian Last vendor Modification 2009-12-15
Severity (Vendor) N/A Revision 2

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Security support for asterisk, an Open Source PBX and telephony toolkit, has been discontinued for the oldstable distribution (etch). The current version in oldstable is not supported by upstream anymore and is affected by several security issues. Backporting fixes for these and any future issues has become unfeasible and therefore we need to drop our security support for the version in oldstable. We recommend that all asterisk users upgrade to the stable distribution (lenny).

Original Source

Url : http://www.debian.org/security/2009/dsa-1952

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-200 Information Exposure

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:13727
 
Oval ID: oval:org.mitre.oval:def:13727
Title: DSA-1952-1 asterisk -- several vulnerabilities
Description: Several vulnerabilities have been discovered in asterisk, an Open Source PBX and telephony toolkit. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0041 It is possible to determine valid login names via probing, due to the IAX2 response from asterisk. CVE-2008-3903 It is possible to determine a valid SIP username, when Digest authentication and authalwaysreject are enabled. CVE-2009-3727 It is possible to determine a valid SIP username via multiple crafted REGISTER messages. CVE-2008-7220 CVE-2007-2383 It was discovered that asterisk contains an obsolete copy of the Prototype JavaScript framework, which is vulnerable to several security issues. This copy is unused and now removed from asterisk. CVE-2009-4055 It was discovered that it is possible to perform a denial of service attack via RTP comfort noise payload with a long data length. For the stable distribution, these problems have been fixed in version 1:1.4.21.2~dfsg-3+lenny1. The security support for asterisk in the oldstable distribution has been discontinued before the end of the regular Etch security maintenance life cycle. You are strongly encouraged to upgrade to stable. For the testing distribution and the unstable distribution , these problems have been fixed in version 1:1.6.2.0~rc7-1. We recommend that you upgrade your asterisk packages.
Family: unix Class: patch
Reference(s): DSA-1952-1
CVE-2009-0041
CVE-2008-3903
CVE-2009-3727
CVE-2008-7220
CVE-2009-4055
CVE-2007-2383
 Version: 7
Platform(s): Debian GNU/Linux 5.0
 Product(s): asterisk
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6950
 
Oval ID: oval:org.mitre.oval:def:6950
Title: DSA-1952 asterisk -- several vulnerabilities, end-of-life announcement in oldstable
Description: Several vulnerabilities have been discovered in asterisk, an Open Source PBX and telephony toolkit. The Common Vulnerabilities and Exposures project identifies the following problems: It is possible to determine valid login names via probing, due to the IAX2 response from asterisk. It is possible to determine a valid SIP username, when Digest authentication and authalwaysreject are enabled. It is possible to determine a valid SIP username via multiple crafted REGISTER messages. It was discovered that asterisk contains an obsolete copy of the Prototype JavaScript framework, which is vulnerable to several security issues. This copy is unused and now removed from asterisk. It was discovered that it is possible to perform a denial of service attack via RTP comfort noise payload with a long data length. The current version in oldstable is not supported by upstream anymore and is affected by several security issues. Backporting fixes for these and any future issues has become unfeasible and therefore we need to drop our security support for the version in oldstable. We recommend that all asterisk users upgrade to the stable distribution.
Family: unix Class: patch
Reference(s): DSA-1952
CVE-2009-0041
CVE-2008-3903
CVE-2009-3727
CVE-2008-7220
CVE-2009-4055
CVE-2007-2383
 Version: 7
Platform(s): Debian GNU/Linux 5.0
 Product(s): asterisk
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 28
Application 179
Application 4
Application 217
Application 1
Application 2
Application 1
Application 1
Hardware 1
Hardware 4
Os 2

OpenVAS Exploits

Date Description
2011-03-09 Name : Gentoo Security Advisory GLSA 201006-20 (asterisk)
File : nvt/glsa_201006_20.nasl
2010-04-06 Name : Fedora Update for asterisk FEDORA-2010-3381
File : nvt/gb_fedora_2010_3381_asterisk_fc12.nasl
2010-03-31 Name : Fedora Update for asterisk FEDORA-2010-3724
File : nvt/gb_fedora_2010_3724_asterisk_fc11.nasl
2009-12-30 Name : Debian Security Advisory DSA 1952-1 (asterisk)
File : nvt/deb_1952_1.nasl
2009-12-30 Name : Fedora Core 11 FEDORA-2009-12506 (asterisk)
File : nvt/fcore_2009_12506.nasl
2009-12-30 Name : Fedora Core 12 FEDORA-2009-12517 (asterisk)
File : nvt/fcore_2009_12517.nasl
2009-12-14 Name : Fedora Core 10 FEDORA-2009-12461 (asterisk)
File : nvt/fcore_2009_12461.nasl
2009-12-03 Name : Fedora Core 11 FEDORA-2009-11070 (asterisk)
File : nvt/fcore_2009_11070.nasl
2009-12-03 Name : Fedora Core 10 FEDORA-2009-11126 (asterisk)
File : nvt/fcore_2009_11126.nasl
2009-12-01 Name : Asterisk RTP Comfort Noise Processing Remote Denial of Service Vulnerability
File : nvt/asterisk_37153.nasl
2009-11-10 Name : Asterisk SIP Response Username Enumeration Remote Information Disclosure Vuln...
File : nvt/asterisk_36924.nasl
2009-09-28 Name : Fedora Core 10 FEDORA-2009-9374 (asterisk)
File : nvt/fcore_2009_9374.nasl
2009-05-05 Name : Gentoo Security Advisory GLSA 200905-01 (asterisk)
File : nvt/glsa_200905_01.nasl
2009-02-13 Name : Fedora Core 9 FEDORA-2009-0973 (asterisk)
File : nvt/fcore_2009_0973.nasl
2009-02-13 Name : Fedora Core 10 FEDORA-2009-0984 (asterisk)
File : nvt/fcore_2009_0984.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
60569 Asterisk rtp.c RTP Comfort Noise Payload Remote DoS
59697 Asterisk SIP REGISTER Response Username Enumeration Weakness

Asterisk contains a flaw that may allow an attacker to determine valid usernames. The issue is triggered when different responses are being sent using a valid or an invalid username in 'REGISTER' messages. This can be exploited to determine valid usernames by sending a specially crafted 'REGISTER' message. .
51373 Asterisk IAX2 User Account Enumeration Weakness
48473 Asterisk PBX Digest Authentication Remote Username Enumeration
46312 Prototype JavaScript Framework prototype.js Cross-site Ajax Request Unspecifi...
43328 Prototype (prototypejs) Framework JavaScript Object Notation (JSON) Crafted H...

Prototype (prototypejs) framework contains a flaw that may allow a malicious user to obtain user data. The framework is using JSON, without an associated protection scheme. This way, an attacker may be able to inject other javascript code, and capture the data destined to the user.

Snort® IPS/IDS

Date Description
2014-01-10 Digium Asterisk RTP comfort noise denial of service attempt
RuleID : 24270 - Revision : 3 - Type : PROTOCOL-VOIP

Nessus® Vulnerability Scanner

Date Description
2010-06-04 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201006-20.nasl - Type : ACT_GATHER_INFO
2010-02-24 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1952.nasl - Type : ACT_GATHER_INFO
2009-12-22 Name : The remote Fedora host is missing a security update.
File : fedora_2009-12506.nasl - Type : ACT_GATHER_INFO
2009-12-22 Name : The remote Fedora host is missing a security update.
File : fedora_2009-12517.nasl - Type : ACT_GATHER_INFO
2009-12-14 Name : The remote Fedora host is missing a security update.
File : fedora_2009-12461.nasl - Type : ACT_GATHER_INFO
2009-11-25 Name : The remote Fedora host is missing a security update.
File : fedora_2009-11070.nasl - Type : ACT_GATHER_INFO
2009-11-25 Name : The remote Fedora host is missing a security update.
File : fedora_2009-11126.nasl - Type : ACT_GATHER_INFO
2009-05-04 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200905-01.nasl - Type : ACT_GATHER_INFO
2009-04-23 Name : The remote Fedora host is missing a security update.
File : fedora_2009-0984.nasl - Type : ACT_GATHER_INFO
2009-02-13 Name : The remote Fedora host is missing one or more security updates.
File : fedora_2009-0973.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:29:04
  • Multiple Updates