Executive Summary
Summary | |
---|---|
Title | Asterisk: Multiple vulnerabilities |
Informations | |||
---|---|---|---|
Name | GLSA-201006-20 | First vendor Publication | 2010-06-04 |
Vendor | Gentoo | Last vendor Modification | 2010-06-04 |
Severity (Vendor) | Normal | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:C) | |||
---|---|---|---|
Cvss Base Score | 7.8 | Attack Range | Network |
Cvss Impact Score | 6.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Synopsis Multiple vulnerabilities in Asterisk might allow remote attackers to cause a Denial of Service condition, or conduct other attacks. Background Description * Nick Baggott reported that Asterisk does not properly process overly long ASCII strings in various packets (CVE-2009-2726). * Noam Rathaus and Blake Cornell reported a flaw in the IAX2 protocol implementation (CVE-2009-2346). * amorsen reported an input processing error in the RTP protocol implementation (CVE-2009-4055). * Patrik Karlsson reported an information disclosure flaw related to the REGISTER message (CVE-2009-3727). * A vulnerability was found in the bundled Prototype JavaScript library, related to AJAX calls (CVE-2008-7220). Impact Workaround Resolution NOTE: This is a legacy GLSA. Updates for all affected architectures are available since January 5, 2010. It is likely that your system is already no longer affected by this issue. References Availability http://security.gentoo.org/glsa/glsa-201006-20.xml |
Original Source
Url : http://security.gentoo.org/glsa/glsa-201006-20.xml |
CAPEC : Common Attack Pattern Enumeration & Classification
Id | Name |
---|---|
CAPEC-2 | Inducing Account Lockout |
CAPEC-82 | Violating Implicit Assumptions Regarding XML Content (aka XML Denial of Servi... |
CAPEC-99 | XML Parser Attack |
CAPEC-119 | Resource Depletion |
CAPEC-121 | Locate and Exploit Test APIs |
CAPEC-125 | Resource Depletion through Flooding |
CAPEC-130 | Resource Depletion through Allocation |
CAPEC-147 | XML Ping of Death |
CAPEC-197 | XEE (XML Entity Expansion) |
CAPEC-227 | Denial of Service through Resource Depletion |
CAPEC-228 | Resource Depletion through DTD Injection in a SOAP Message |
CAPEC-229 | XML Attribute Blowup |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
33 % | CWE-770 | Allocation of Resources Without Limits or Throttling |
33 % | CWE-200 | Information Exposure |
33 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2011-03-09 | Name : Gentoo Security Advisory GLSA 201006-20 (asterisk) File : nvt/glsa_201006_20.nasl |
2010-04-06 | Name : Fedora Update for asterisk FEDORA-2010-3381 File : nvt/gb_fedora_2010_3381_asterisk_fc12.nasl |
2010-03-31 | Name : Fedora Update for asterisk FEDORA-2010-3724 File : nvt/gb_fedora_2010_3724_asterisk_fc11.nasl |
2009-12-30 | Name : Debian Security Advisory DSA 1952-1 (asterisk) File : nvt/deb_1952_1.nasl |
2009-12-30 | Name : Fedora Core 11 FEDORA-2009-12506 (asterisk) File : nvt/fcore_2009_12506.nasl |
2009-12-30 | Name : Fedora Core 12 FEDORA-2009-12517 (asterisk) File : nvt/fcore_2009_12517.nasl |
2009-12-14 | Name : Fedora Core 10 FEDORA-2009-12461 (asterisk) File : nvt/fcore_2009_12461.nasl |
2009-12-03 | Name : Fedora Core 11 FEDORA-2009-11070 (asterisk) File : nvt/fcore_2009_11070.nasl |
2009-12-03 | Name : Fedora Core 10 FEDORA-2009-11126 (asterisk) File : nvt/fcore_2009_11126.nasl |
2009-12-01 | Name : Asterisk RTP Comfort Noise Processing Remote Denial of Service Vulnerability File : nvt/asterisk_37153.nasl |
2009-11-10 | Name : Asterisk SIP Response Username Enumeration Remote Information Disclosure Vuln... File : nvt/asterisk_36924.nasl |
2009-09-28 | Name : Fedora Core 10 FEDORA-2009-9374 (asterisk) File : nvt/fcore_2009_9374.nasl |
2009-09-28 | Name : Fedora Core 11 FEDORA-2009-9405 (asterisk) File : nvt/fcore_2009_9405.nasl |
2009-09-18 | Name : Asterisk IAX2 Call Number Exhaustion DOS Vulnerability (Linux) File : nvt/secpod_asterisk_iax2_call_number_dos_vuln.nasl |
2009-09-02 | Name : Asterisk SIP Channel Driver Denial Of Service Vulnerability (Linux) File : nvt/secpod_asterisk_sip_channel_driver_dos_vuln.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
60569 | Asterisk rtp.c RTP Comfort Noise Payload Remote DoS |
59697 | Asterisk SIP REGISTER Response Username Enumeration Weakness Asterisk contains a flaw that may allow an attacker to determine valid usernames. The issue is triggered when different responses are being sent using a valid or an invalid username in 'REGISTER' messages. This can be exploited to determine valid usernames by sending a specially crafted 'REGISTER' message. . |
57762 | Asterisk IAX2 Call Number Resource Exhaustion Remote DoS |
56991 | Asterisk Multiple Function Maximum Width Handling Remote DoS Asterisk contains a flaw that may allow a remote denial of service. The issue is triggered when a malicious user forces invocation of sscanf() functions which do not specify a maximum width, and will result in loss of availability for the service. |
46312 | Prototype JavaScript Framework prototype.js Cross-site Ajax Request Unspecifi... |
Snort® IPS/IDS
Date | Description |
---|---|
2014-01-10 | Digium Asterisk RTP comfort noise denial of service attempt RuleID : 24270 - Revision : 3 - Type : PROTOCOL-VOIP |
2014-01-10 | Digium Asterisk IAX2 call number denial of service RuleID : 21608 - Revision : 4 - Type : PROTOCOL-VOIP |
2014-01-10 | CSeq buffer overflow attempt RuleID : 16351 - Revision : 11 - Type : PROTOCOL-VOIP |
2014-01-10 | Digium Asterisk SIP sscanf denial of service attempt RuleID : 16212 - Revision : 2 - Type : DOS |
2014-01-10 | Digium Asterisk SIP sscanf denial of service attempt RuleID : 16211 - Revision : 2 - Type : DOS |
2014-01-10 | Digium Asterisk SIP sscanf denial of service attempt RuleID : 16210 - Revision : 2 - Type : DOS |
2014-01-10 | CSeq buffer overflow attempt RuleID : 11971 - Revision : 8 - Type : PROTOCOL-VOIP |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2010-06-04 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201006-20.nasl - Type : ACT_GATHER_INFO |
2010-02-24 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1952.nasl - Type : ACT_GATHER_INFO |
2009-12-22 | Name : The remote Fedora host is missing a security update. File : fedora_2009-12506.nasl - Type : ACT_GATHER_INFO |
2009-12-22 | Name : The remote Fedora host is missing a security update. File : fedora_2009-12517.nasl - Type : ACT_GATHER_INFO |
2009-12-14 | Name : The remote Fedora host is missing a security update. File : fedora_2009-12461.nasl - Type : ACT_GATHER_INFO |
2009-11-25 | Name : The remote Fedora host is missing a security update. File : fedora_2009-11070.nasl - Type : ACT_GATHER_INFO |
2009-11-25 | Name : The remote Fedora host is missing a security update. File : fedora_2009-11126.nasl - Type : ACT_GATHER_INFO |
2009-09-28 | Name : The remote Fedora host is missing a security update. File : fedora_2009-9374.nasl - Type : ACT_GATHER_INFO |
2009-09-28 | Name : The remote Fedora host is missing a security update. File : fedora_2009-9405.nasl - Type : ACT_GATHER_INFO |
2009-09-08 | Name : The remote VoIP service is susceptible to a denial of service attack. File : asterisk_iax2_call_number_dos.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:36:54 |
|