Vulnerability CVE-2008-1390


Published: 2008-03-24   Modified: 2012-02-12

Description:
The AsteriskGUI HTTP server in Asterisk Open Source 1.4.x before 1.4.19-rc3 and 1.6.x before 1.6.0-beta6, Business Edition C.x.x before C.1.6, AsteriskNOW before 1.0.2, Appliance Developer Kit before revision 104704, and s800i 1.0.x before 1.1.0.2 generates insufficiently random manager ID values, which makes it easier for remote attackers to hijack a manager session via a series of ID guesses.

See advisories in our WLB2 database:
Topic
Author
Date
High
HTTP Manager ID is predictable
Asterisk Securit...
25.03.2008

Type:

CWE-255

(Credentials Management)

CVSS2 => (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
9.3/10
10/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete
Affected software
Asterisk -> Asterisk 
Asterisk -> Asterisk appliance developer kit 
Asterisk -> Asterisk business edition 
Asterisk -> Asterisknow 
Asterisk -> S800i 

 References:
http://downloads.digium.com/pub/security/AST-2008-005.html
http://securityreason.com/securityalert/3764
http://www.securityfocus.com/archive/1/489819/100/0/threaded
http://www.securityfocus.com/bid/28316
http://www.securitytracker.com/id?1019679
https://exchange.xforce.ibmcloud.com/vulnerabilities/41304
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00438.html
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00514.html

Copyright 2024, cxsecurity.com

 

Back to Top