Executive Summary
This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
| Summary | |
|---|---|
| Title | asterisk security update |
| Informations | |||
|---|---|---|---|
| Name | DSA-2171 | First vendor Publication | 2011-02-21 |
| Vendor | Debian | Last vendor Modification | 2011-02-21 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:S/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 6 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Medium |
| Cvss Expoit Score | 6.8 | Authentication | Requires single instance |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Matthew Nicholson discovered a buffer overflow in the SIP channel driver of Asterisk, an open source PBX and telephony toolkit, which could lead to the execution of arbitrary code. For the oldstable distribution (lenny), this problem has been fixed in version 1.4.21.2~dfsg-3+lenny2. For the stable distribution (squeeze), this problem has been fixed in version 1.6.2.9-2+squeeze1. The unstable distribution (sid) will be fixed soon. We recommend that you upgrade your asterisk packages. |
Original Source
| Url : http://www.debian.org/security/2011/dsa-2171 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-787 | Out-of-bounds Write (CWE/SANS Top 25) |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:12470 | |||
| Oval ID: | oval:org.mitre.oval:def:12470 | ||
| Title: | DSA-2171-1 asterisk -- buffer overflow | ||
| Description: | Matthew Nicholson discovered a buffer overflow in the SIP channel driver of Asterisk, an open source PBX and telephony toolkit, which could lead to the execution of arbitrary code. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-2171-1 CVE-2011-0495 | Version: | 5 |
| Platform(s): | Debian GNU/Linux 5.0 Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | asterisk |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2011-03-09 | Name : Debian Security Advisory DSA 2171-1 (asterisk) File : nvt/deb_2171_1.nasl |
| 2011-02-04 | Name : Fedora Update for asterisk FEDORA-2011-0774 File : nvt/gb_fedora_2011_0774_asterisk_fc14.nasl |
| 2011-02-04 | Name : Fedora Update for asterisk FEDORA-2011-0794 File : nvt/gb_fedora_2011_0794_asterisk_fc13.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 70518 | Asterisk main/utils.c ast_uri_encode() Function Caller ID Information Overflow Asterisk is prone to an overflow condition. The 'ast_uri_encode' function in 'main/utils.c' fails to properly sanitize user-supplied input resulting in a stack-based buffer overflow. With a specially crafted caller ID data, a remote authenticated attacker can potentially execute arbitrary code. |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2011-02-22 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2171.nasl - Type : ACT_GATHER_INFO |
| 2011-02-04 | Name : The remote Fedora host is missing a security update. File : fedora_2011-0774.nasl - Type : ACT_GATHER_INFO |
| 2011-02-04 | Name : The remote Fedora host is missing a security update. File : fedora_2011-0794.nasl - Type : ACT_GATHER_INFO |
| 2011-01-21 | Name : A telephony application running on the remote host is affected by a buffer ov... File : asterisk_ast_2011_001.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:29:54 |
|
