Summary
| Detail | |||
|---|---|---|---|
| Vendor | Digium | First view | 2017-04-10 |
| Product | Certified Asterisk | Last view | 2019-07-12 |
| Version | 11.2 | Type | Application |
| Update | cert3 | ||
| Edition | * | ||
| Language | * | ||
| Sofware Edition | * | ||
| Target Software | * | ||
| Target Hardware | * | ||
| Other | * | ||
| CPE Product | cpe:2.3:a:digium:certified_asterisk | ||
Activity : Overall
Related : CVE
| Date | Alert | Description | |
|---|---|---|---|
| 5.3 | 2019-07-12 | CVE-2019-13161 | An issue was discovered in Asterisk Open Source through 13.27.0, 14.x and 15.x through 15.7.2, and 16.x through 16.4.0, and Certified Asterisk through 13.21-cert3. A pointer dereference in chan_sip while handling SDP negotiation allows an attacker to crash Asterisk when handling an SDP answer to an outgoing T.38 re-invite. To exploit this vulnerability an attacker must cause the chan_sip module to send a T.38 re-invite request to them. Upon receipt, the attacker must send an SDP answer containing both a T.38 UDPTL stream and another media stream containing only a codec (which is not permitted according to the chan_sip configuration). |
| 6.5 | 2018-02-21 | CVE-2018-7286 | An issue was discovered in Asterisk through 13.19.1, 14.x through 14.7.5, and 15.x through 15.2.1, and Certified Asterisk through 13.18-cert2. res_pjsip allows remote authenticated users to crash Asterisk (segmentation fault) by sending a number of SIP INVITE messages on a TCP or TLS connection and then suddenly closing the connection. |
| 7.5 | 2018-02-21 | CVE-2018-7284 | A Buffer Overflow issue was discovered in Asterisk through 13.19.1, 14.x through 14.7.5, and 15.x through 15.2.1, and Certified Asterisk through 13.18-cert2. When processing a SUBSCRIBE request, the res_pjsip_pubsub module stores the accepted formats present in the Accept headers of the request. This code did not limit the number of headers it processed, despite having a fixed limit of 32. If more than 32 Accept headers were present, the code would write outside of its memory and cause a crash. |
| 5.9 | 2017-12-13 | CVE-2017-17664 | A Remote Crash issue was discovered in Asterisk Open Source 13.x before 13.18.4, 14.x before 14.7.4, and 15.x before 15.1.4 and Certified Asterisk before 13.13-cert9. Certain compound RTCP packets cause a crash in the RTCP Stack. |
| 7.5 | 2017-12-01 | CVE-2017-17090 | An issue was discovered in chan_skinny.c in Asterisk Open Source 13.18.2 and older, 14.7.2 and older, and 15.1.2 and older, and Certified Asterisk 13.13-cert7 and older. If the chan_skinny (aka SCCP protocol) channel driver is flooded with certain requests, it can cause the asterisk process to use excessive amounts of virtual memory, eventually causing asterisk to stop processing requests of any kind. |
| 8.8 | 2017-04-10 | CVE-2017-7617 | Remote code execution can occur in Asterisk Open Source 13.x before 13.14.1 and 14.x before 14.3.1 and Certified Asterisk 13.13 before 13.13-cert3 because of a buffer overflow in a CDR user field, related to X-ClientCode in chan_sip, the CDR dialplan function, and the AMI Monitor action. |
CWE : Common Weakness Enumeration
| % | id | Name |
|---|---|---|
| 60% (3) | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
| 20% (1) | CWE-476 | NULL Pointer Dereference |
| 20% (1) | CWE-459 | Incomplete Cleanup |
Snort® IPS/IDS
| Date | Description |
|---|---|
| 2019-09-19 | Digium Asterisk multiple malformed Accept headers denial of service attempt RuleID : 51087 - Type : PROTOCOL-VOIP - Revision : 1 |
| 2019-09-19 | Digium Asterisk multiple malformed Accept headers denial of service attempt RuleID : 51086 - Type : PROTOCOL-VOIP - Revision : 1 |
Nessus® Vulnerability Scanner
| id | Description |
|---|---|
| 2018-10-17 | Name: The remote Debian host is missing a security-related update. File: debian_DSA-4320.nasl - Type: ACT_GATHER_INFO |
| 2018-03-02 | Name: A telephony application running on the remote host is affected by multiple vu... File: asterisk_ast_2018_001-006.nasl - Type: ACT_GATHER_INFO |
| 2018-03-02 | Name: A telephony application running on the remote host is affected by a Subscribe... File: asterisk_ast_2018_002-005.nasl - Type: ACT_GATHER_INFO |
| 2018-02-23 | Name: The remote FreeBSD host is missing a security-related update. File: freebsd_pkg_933654ce17b811e890b8001999f8d30b.nasl - Type: ACT_GATHER_INFO |
| 2018-01-15 | Name: The remote Fedora host is missing a security update. File: fedora_2017-66e9367f7e.nasl - Type: ACT_GATHER_INFO |
| 2018-01-02 | Name: The remote Debian host is missing a security update. File: debian_DLA-1225.nasl - Type: ACT_GATHER_INFO |
| 2018-01-02 | Name: The remote Debian host is missing a security-related update. File: debian_DSA-4076.nasl - Type: ACT_GATHER_INFO |
| 2017-12-28 | Name: The remote Fedora host is missing a security update. File: fedora_2017-38fbcdffc3.nasl - Type: ACT_GATHER_INFO |
| 2017-12-06 | Name: A telephony application running on the remote host is affected by a memory ex... File: asterisk_ast_2017_013.nasl - Type: ACT_GATHER_INFO |
| 2017-12-04 | Name: The remote FreeBSD host is missing a security-related update. File: freebsd_pkg_e91cf90cd6dd11e79d10001999f8d30b.nasl - Type: ACT_GATHER_INFO |
| 2017-04-13 | Name: A telephony application running on the remote host is affected by a remote co... File: asterisk_ast_2017_001.nasl - Type: ACT_GATHER_INFO |
