Executive Summary
Summary | |
---|---|
Title | asterisk security update |
Informations | |||
---|---|---|---|
Name | DSA-2367 | First vendor Publication | 2011-12-19 |
Vendor | Debian | Last vendor Modification | 2011-12-19 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Several vulnerabilities have been discovered in Asterisk, an Open Source PBX and telephony toolkit: CVE-2011-4597 Ben Williams discovered that it was possible to enumerate SIP user names in some configurations. Please see the upstream advisory for details: http://downloads.asterisk.org/pub/security/AST-2011-013.html This update only modifies the sample sip.conf configuration file. Please see README.Debian for more information on how to update your installation. CVE-2011-4598 Kristijan Vrban discovered that Asterisk can be crashed with malformed SIP packets if the "automon" feature is enabled. For the oldstable distribution (lenny), this problem has been fixed in version 1:1.4.21.2~dfsg-3+lenny6. For the stable distribution (squeeze), this problem has been fixed in version 1:1.6.2.9-2+squeeze4. For the unstable distribution (sid), this problem has been fixed in version 1:1.8.8.0~dfsg-1. We recommend that you upgrade your asterisk packages. |
Original Source
Url : http://www.debian.org/security/2011/dsa-2367 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-200 | Information Exposure |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:15029 | |||
Oval ID: | oval:org.mitre.oval:def:15029 | ||
Title: | DSA-2367-1 asterisk -- several | ||
Description: | Several vulnerabilities have been discovered in Asterisk, an Open Source PBX and telephony toolkit: CVE-2011-4597 Ben Williams discovered that it was possible to enumerate SIP user names in some configurations. Please see README.Debian for more information on how to update your installation. CVE-2011-4598 Kristijan Vrban discovered that Asterisk can be crashed with malformed SIP packets if the "automon" feature is enabled. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2367-1 CVE-2011-4597 CVE-2011-4598 | Version: | 7 |
Platform(s): | Debian GNU/Linux 5.0 Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | asterisk |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-04-02 | Name : Fedora Update for asterisk FEDORA-2012-4259 File : nvt/gb_fedora_2012_4259_asterisk_fc15.nasl |
2012-02-11 | Name : Debian Security Advisory DSA 2367-1 (asterisk) File : nvt/deb_2367_1.nasl |
0000-00-00 | Name : FreeBSD Ports: asterisk18 File : nvt/freebsd_asterisk180.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
77598 | Asterisk channels/chan_sip.c handle_request_info() Function SIP Packet Parsin... |
77597 | Asterisk Request Response Port SIP Peer Enumeration |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2012-04-02 | Name : The remote Fedora host is missing a security update. File : fedora_2012-4259.nasl - Type : ACT_GATHER_INFO |
2012-01-12 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2367.nasl - Type : ACT_GATHER_INFO |
2011-12-14 | Name : A telephony application running on the remote host is affected by multiple vu... File : asterisk_ast_2011_014.nasl - Type : ACT_GATHER_INFO |
2011-12-09 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_bb38913721fb11e189b4001ec9578670.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:30:39 |
|