Executive Summary
Summary | |
---|---|
Title | asterisk security update |
Informations | |||
---|---|---|---|
Name | DSA-2493 | First vendor Publication | 2012-06-12 |
Vendor | Debian | Last vendor Modification | 2012-06-12 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Several vulnerabilities were discovered in Asterisk, a PBX and telephony toolkit. CVE-2012-2947 The IAX2 channel driver allows remote attackers to cause a denial of service (daemon crash) by placing a call on hold (when a certain mohinterpret setting is enabled). CVE-2012-2948 The Skinny channel driver allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by closing a connection in off-hook mode. In addition, it was discovered that Asterisk does not set the alwaysauthreject option by default in the SIP channel driver. This allows remote attackers to observe a difference in response behavior and check for the presence of account names. (CVE-2011-2666) System administrators concerned by this user enumerating vulnerability should enable the alwaysauthreject option in the configuration. We do not plan to change the default setting in the stable version (Asterisk 1.6) in order to preserve backwards compatibility. For the stable distribution (squeeze), this problem has been fixed in version 1:1.6.2.9-2+squeeze6. For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 1:1.8.13.0~dfsg-1. We recommend that you upgrade your asterisk packages. |
Original Source
Url : http://www.debian.org/security/2012/dsa-2493 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
33 % | CWE-399 | Resource Management Errors |
33 % | CWE-284 | Access Control (Authorization) Issues |
33 % | CWE-16 | Configuration |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:18445 | |||
Oval ID: | oval:org.mitre.oval:def:18445 | ||
Title: | DSA-2493-1 asterisk - denial of service | ||
Description: | Several vulnerabilities were discovered in Asterisk, a PBX and telephony toolkit. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2493-1 CVE-2012-2947 CVE-2012-2948 CVE-2011-2666 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | asterisk |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-08-30 | Name : Fedora Update for asterisk FEDORA-2012-8670 File : nvt/gb_fedora_2012_8670_asterisk_fc17.nasl |
2012-08-10 | Name : Debian Security Advisory DSA 2493-1 (asterisk) File : nvt/deb_2493_1.nasl |
2012-08-10 | Name : FreeBSD Ports: asterisk10 File : nvt/freebsd_asterisk10.nasl |
2012-08-10 | Name : Gentoo Security Advisory GLSA 201206-05 (Asterisk) File : nvt/glsa_201206_05.nasl |
2012-06-19 | Name : Fedora Update for asterisk FEDORA-2012-8685 File : nvt/gb_fedora_2012_8685_asterisk_fc15.nasl |
2012-06-19 | Name : Fedora Update for asterisk FEDORA-2012-8692 File : nvt/gb_fedora_2012_8692_asterisk_fc16.nasl |
2012-05-31 | Name : FreeBSD Ports: asterisk16 File : nvt/freebsd_asterisk161.nasl |
2012-02-12 | Name : Gentoo Security Advisory GLSA 201110-21 (Asterisk) File : nvt/glsa_201110_21.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
74352 | Asterisk SIP Channel Driver Default Configuration Invalid SIP Request Usernam... |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2012-06-29 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2493.nasl - Type : ACT_GATHER_INFO |
2012-06-21 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201206-05.nasl - Type : ACT_GATHER_INFO |
2012-06-18 | Name : The remote Fedora host is missing a security update. File : fedora_2012-8685.nasl - Type : ACT_GATHER_INFO |
2012-06-18 | Name : The remote Fedora host is missing a security update. File : fedora_2012-8692.nasl - Type : ACT_GATHER_INFO |
2012-06-14 | Name : A telephony application running on the remote host is affected by a denial of... File : asterisk_ast_2012_007.nasl - Type : ACT_GATHER_INFO |
2012-06-14 | Name : A telephony application running on the remote host is affected by a denial of... File : asterisk_ast_2012_008.nasl - Type : ACT_GATHER_INFO |
2012-06-11 | Name : The remote Fedora host is missing a security update. File : fedora_2012-8670.nasl - Type : ACT_GATHER_INFO |
2012-05-30 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_359f615da9e111e18a6614dae9ebcf89.nasl - Type : ACT_GATHER_INFO |
2011-11-22 | Name : A telephony application running on the remote host is affected by an informat... File : asterisk_ast_2011_011.nasl - Type : ACT_GATHER_INFO |
2011-10-25 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201110-21.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:31:09 |
|