Summary
| Detail | |||
|---|---|---|---|
| Vendor | Asterisk | First view | 2007-05-07 |
| Product | Asterisk | Last view | 2024-08-08 |
| Version | 1.2.26 | Type | Application |
| Update | * | ||
| Edition | * | ||
| Language | * | ||
| Sofware Edition | * | ||
| Target Software | * | ||
| Target Hardware | * | ||
| Other | * | ||
| CPE Product | cpe:2.3:a:asterisk:asterisk | ||
Activity : Overall
Related : CVE
| Date | Alert | Description | |
|---|---|---|---|
| 8.8 | 2024-08-08 | CVE-2024-42365 | Asterisk is an open source private branch exchange (PBX) and telephony toolkit. Prior to asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2, an AMI user with `write=originate` may change all configuration files in the `/etc/asterisk/` directory. This occurs because they are able to curl remote files and write them to disk, but are also able to append to existing files using the `FILE` function inside the `SET` application. This issue may result in privilege escalation, remote code execution and/or blind server-side request forgery with arbitrary protocol. Asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2 contain a fix for this issue. |
| 7.8 | 2008-07-22 | CVE-2008-3263 | The IAX2 protocol implementation in Asterisk Open Source 1.0.x, 1.2.x before 1.2.30, and 1.4.x before 1.4.21.2; Business Edition A.x.x, B.x.x before B.2.5.4, and C.x.x before C.1.10.3; AsteriskNOW; Appliance Developer Kit 0.x.x; and s800i 1.0.x before 1.2.0.1 allows remote attackers to cause a denial of service (call-number exhaustion and CPU consumption) by quickly sending a large number of IAX2 (IAX) POKE requests. |
| 5 | 2007-08-21 | CVE-2007-4455 | The SIP channel driver (chan_sip) in Asterisk Open Source 1.4.x before 1.4.11, AsteriskNOW before beta7, Asterisk Appliance Developer Kit 0.x before 0.8.0, and s800i (Asterisk Appliance) 1.x before 1.0.3 allows remote attackers to cause a denial of service (memory exhaustion) via a SIP dialog that causes a large number of history entries to be created. |
| 3.5 | 2007-08-09 | CVE-2007-4280 | The Skinny channel driver (chan_skinny) in Asterisk Open Source before 1.4.10, AsteriskNOW before beta7, Appliance Developer Kit before 0.7.0, and Appliance s800i before 1.0.3 allows remote authenticated users to cause a denial of service (application crash) via a CAPABILITIES_RES_MESSAGE packet with a capabilities count larger than the capabilities_res_message array population. |
| 10 | 2007-05-07 | CVE-2007-2488 | The IAX2 channel driver (chan_iax2) in Asterisk before 20070504 does not properly null terminate data, which allows remote attackers to trigger loss of transmitted data, and possibly obtain sensitive information (memory contents) or cause a denial of service (application crash), by sending a frame that lacks a 0 byte. |
CWE : Common Weakness Enumeration
| % | id | Name |
|---|---|---|
| 100% (1) | CWE-399 | Resource Management Errors |
Open Source Vulnerability Database (OSVDB)
| id | Description |
|---|---|
| 47253 | Asterisk IAX2 (IAX) POKE Request Saturation Resource Exhaustion Remote DoS |
| 38199 | Asterisk SIP Channel Driver (chan_sip) Malformed SIP Dialog Remote DoS |
| 38198 | Asterisk Skinny Channel Driver (chan_skinny) Malformed CAPABILITIES_RES_MESSA... |
| 35769 | Asterisk IAX2 Channel Driver (chan_iax2) Remote Memory Disclosure |
OpenVAS Exploits
| id | Description |
|---|---|
| 2009-05-05 | Name : Gentoo Security Advisory GLSA 200905-01 (asterisk) File : nvt/glsa_200905_01.nasl |
| 2009-02-17 | Name : Fedora Update for asterisk FEDORA-2008-6676 File : nvt/gb_fedora_2008_6676_asterisk_fc8.nasl |
| 2009-02-17 | Name : Fedora Update for asterisk FEDORA-2008-6853 File : nvt/gb_fedora_2008_6853_asterisk_fc9.nasl |
| 2009-01-28 | Name : SuSE Update for asterisk SUSE-SA:2007:034 File : nvt/gb_suse_2007_034.nasl |
| 2008-01-17 | Name : Debian Security Advisory DSA 1358-1 (asterisk) File : nvt/deb_1358_1.nasl |
Snort® IPS/IDS
| Date | Description |
|---|---|
| 2014-01-10 | Digium Asterisk SCCP capabilities response message capabilities count overflo... RuleID : 21672 - Type : PROTOCOL-VOIP - Revision : 4 |
Nessus® Vulnerability Scanner
| id | Description |
|---|---|
| 2009-05-04 | Name: The remote Gentoo host is missing one or more security-related patches. File: gentoo_GLSA-200905-01.nasl - Type: ACT_GATHER_INFO |
| 2008-08-15 | Name: The remote openSUSE host is missing a security update. File: suse_asterisk-5524.nasl - Type: ACT_GATHER_INFO |
| 2008-07-31 | Name: The remote Fedora host is missing a security update. File: fedora_2008-6853.nasl - Type: ACT_GATHER_INFO |
| 2008-07-25 | Name: The remote VoIP service is susceptible to a remote denial of service attack. File: asterisk_iax2_poke_exhaust.nasl - Type: ACT_GATHER_INFO |
| 2008-07-24 | Name: The remote Fedora host is missing a security update. File: fedora_2008-6676.nasl - Type: ACT_GATHER_INFO |
| 2007-10-17 | Name: The remote openSUSE host is missing a security update. File: suse_asterisk-3543.nasl - Type: ACT_GATHER_INFO |
| 2007-08-28 | Name: The remote Debian host is missing a security-related update. File: debian_DSA-1358.nasl - Type: ACT_GATHER_INFO |
