Executive Summary
Informations | |||
---|---|---|---|
Name | MDVSA-2014:078 | First vendor Publication | 2014-01-16 |
Vendor | Mandriva | Last vendor Modification | 2014-01-16 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Multiple vulnerabilities has been discovered and corrected in asterisk: Sending a HTTP request that is handled by Asterisk with a large number of Cookie headers could overflow the stack. You could even exhaust memory if you sent an unlimited number of headers in the request (CVE-2014-2286). An attacker can use all available file descriptors using SIP INVITE requests. Asterisk will respond with code 400, 420, or 422 for INVITEs meeting this criteria. Each INVITE meeting these conditions will leak a channel and several file descriptors. The file descriptors cannot be released without restarting Asterisk which may allow intrusion detection systems to be bypassed by sending the requests slowly (CVE-2014-2287). The updated packages has been upgraded to the 11.8.1 version which is not vulnerable to these issues. |
Original Source
Url : http://www.mandriva.com/security/advisories?name=MDVSA-2014:078 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-20 | Improper Input Validation |
CPE : Common Platform Enumeration
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2014-03-13 | IAVM : 2014-A-0035 - Multiple Vulnerabilities in Asterisk Products Severity : Category I - VMSKEY : V0046183 |
Snort® IPS/IDS
Date | Description |
---|---|
2014-05-01 | Digium Asterisk cookie stack buffer overflow attempt RuleID : 30293 - Revision : 4 - Type : SERVER-WEBAPP |
2014-05-01 | Digium Asterisk cookie stack buffer overflow attempt RuleID : 30292 - Revision : 4 - Type : SERVER-WEBAPP |
2014-05-01 | Digium Asterisk cookie stack buffer overflow attempt RuleID : 30291 - Revision : 4 - Type : SERVER-WEBAPP |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2017-01-13 | Name : The remote Debian host is missing a security update. File : debian_DLA-781.nasl - Type : ACT_GATHER_INFO |
2016-05-04 | Name : The remote Debian host is missing a security update. File : debian_DLA-455.nasl - Type : ACT_GATHER_INFO |
2014-05-05 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201405-05.nasl - Type : ACT_GATHER_INFO |
2014-04-17 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-078.nasl - Type : ACT_GATHER_INFO |
2014-03-22 | Name : The remote Fedora host is missing a security update. File : fedora_2014-3762.nasl - Type : ACT_GATHER_INFO |
2014-03-22 | Name : The remote Fedora host is missing a security update. File : fedora_2014-3779.nasl - Type : ACT_GATHER_INFO |
2014-03-14 | Name : A telephony application running on the remote host is affected by a stack ove... File : asterisk_ast_2014_001.nasl - Type : ACT_GATHER_INFO |
2014-03-14 | Name : A telephony application running on the remote host is affected by a denial of... File : asterisk_ast_2014_002.nasl - Type : ACT_GATHER_INFO |
2014-03-12 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_03159886a8a311e38f360025905a4771.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-04-21 21:25:29 |
|
2014-04-19 13:28:35 |
|
2014-04-18 13:25:57 |
|
2014-04-16 17:20:03 |
|