Vulnerability CVE-2012-2416


Published: 2012-04-30   Modified: 2012-05-01

Description:
chan_sip.c in the SIP channel driver in Asterisk Open Source 1.8.x before 1.8.11.1 and 10.x before 10.3.1 and Asterisk Business Edition C.3.x before C.3.7.4, when the trustrpid option is enabled, allows remote authenticated users to cause a denial of service (daemon crash) by sending a SIP UPDATE message that triggers a connected-line update attempt without an associated channel.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
Asterisk SIP Channel Driver Remote Crash
Thomas Arimont
24.04.2012

Type:

CWE-119

(Improper Restriction of Operations within the Bounds of a Memory Buffer)

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.5/10
6.4/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Asterisk -> Open source 

 References:
http://downloads.asterisk.org/pub/security/AST-2012-006.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/079759.html
http://osvdb.org/81456
http://www.securityfocus.com/bid/53205
http://www.securitytracker.com/id?1026963
https://exchange.xforce.ibmcloud.com/vulnerabilities/75101
https://issues.asterisk.org/jira/browse/ASTERISK-19770

Copyright 2022, cxsecurity.com

 

Back to Top