PROBLEM:
Asterisk Two Denial of Service Vulnerabilities
PLATFORM:
The vulnerabilities are reported in versions 1.8.x, 10.x, and 11.x.
ABSTRACT:
Two vulnerabilities have been reported in Asterisk, which can be exploited by malicious users and malicious people to cause a DoS (Denial of Service).
REFERENCE LINKS:
Secunia Advisory SA51689
Asterisk Project Security Advisories
CVE-2012-5976
CVE-2012-5977
IMPACT ASSESSMENT:
Medium
DISCUSSION:
A remote user can send specially crafted data to consume excessive resources on the target system. Systems configured to allow anonymous calls are affected. A remote authenticated user can also exploit this via HTTP and XMPP.
IMPACT:
An error when handling TCP sessions can be exploited to cause a stack overflow and crash the service.
An error when handling device state caches can be exploited to consume excessive system resources.