Executive Summary
Summary | |
---|---|
Title | New asterisk packages fix several vulnerabilities |
Informations | |||
---|---|---|---|
Name | DSA-1525 | First vendor Publication | 2008-03-20 |
Vendor | Debian | Last vendor Modification | 2008-03-20 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:N) | |||
---|---|---|---|
Cvss Base Score | 8.8 | Attack Range | Network |
Cvss Impact Score | 9.2 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Several remote vulnerabilities have been discovered in Asterisk, a free software PBX and telephony toolkit. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-6430 Tilghman Lesher discovered that database-based registrations are insufficiently validated. This only affects setups, which are configured to run without a password and only host-based authentication. CVE-2008-1332 Jason Parker discovered that insufficient validation of From: headers inside the SIP channel driver may lead to authentication bypass and the potential external initiation of calls. This update also fixes a format string vulnerability, which can only be triggered through configuration files under control of the local administrator. In later releases of Asterisk this issue is remotely exploitable and tracked as CVE-2008-1333. For the stable distribution (etch), these problems have been fixed in version 1:1.2.13~dfsg-2etch3. The status of the old stable distribution (sarge) is currently being investigated. If affected, an update will be released through security.debian.org. We recommend that you upgrade your asterisk packages. |
Original Source
Url : http://www.debian.org/security/2008/dsa-1525 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
33 % | CWE-287 | Improper Authentication |
33 % | CWE-264 | Permissions, Privileges, and Access Controls |
33 % | CWE-134 | Uncontrolled Format String (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:17968 | |||
Oval ID: | oval:org.mitre.oval:def:17968 | ||
Title: | DSA-1525-1 asterisk | ||
Description: | Several remote vulnerabilities have been discovered in Asterisk, a free software PBX and telephony toolkit. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1525-1 CVE-2007-6430 CVE-2008-1332 CVE-2008-1333 | Version: | 5 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | asterisk |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:8002 | |||
Oval ID: | oval:org.mitre.oval:def:8002 | ||
Title: | DSA-1525 asterisk -- several vulnerabilities | ||
Description: | Several remote vulnerabilities have been discovered in Asterisk, a free software PBX and telephony toolkit. The Common Vulnerabilities and Exposures project identifies the following problems: Tilghman Lesher discovered that database-based registrations are insufficiently validated. This only affects setups, which are configured to run without a password and only host-based authentication. Jason Parker discovered that insufficient validation of From: headers inside the SIP channel driver may lead to authentication bypass and the potential external initiation of calls. This update also fixes a format string vulnerability, which can only be triggered through configuration files under control of the local administrator. In later releases of Asterisk this issue is remotely exploitable and tracked as CVE-2008-1333. The status of the old stable distribution (sarge) is currently being investigated. If affected, an update will be released through security.debian.org. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1525 CVE-2007-6430 CVE-2008-1332 CVE-2008-1333 | Version: | 5 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | asterisk |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2009-02-16 | Name : Fedora Update for asterisk FEDORA-2008-2554 File : nvt/gb_fedora_2008_2554_asterisk_fc8.nasl |
2009-02-16 | Name : Fedora Update for asterisk FEDORA-2008-2620 File : nvt/gb_fedora_2008_2620_asterisk_fc7.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200804-13 (asterisk) File : nvt/glsa_200804_13.nasl |
2008-03-27 | Name : Debian Security Advisory DSA 1525-1 (asterisk) File : nvt/deb_1525_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
43415 | Asterisk SIP Channel Driver Unauthenticated Call Remote Privilege Escalation |
43414 | Asterisk ast_verbose Logging API Manager command Format String |
39519 | Asterisk Host Based Registration Database Security Bypass |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2008-05-07 | Name : It is possible to bypass authentication and make calls using the remote VoIP ... File : asterisk_sip_auth_bypass.nasl - Type : ACT_ATTACK |
2008-04-17 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200804-13.nasl - Type : ACT_GATHER_INFO |
2008-04-17 | Name : The remote openSUSE host is missing a security update. File : suse_asterisk-5169.nasl - Type : ACT_GATHER_INFO |
2008-03-26 | Name : The remote Fedora host is missing a security update. File : fedora_2008-2554.nasl - Type : ACT_GATHER_INFO |
2008-03-26 | Name : The remote Fedora host is missing a security update. File : fedora_2008-2620.nasl - Type : ACT_GATHER_INFO |
2008-03-21 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1525.nasl - Type : ACT_GATHER_INFO |
2008-03-07 | Name : The remote openSUSE host is missing a security update. File : suse_asterisk-5062.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:27:27 |
|