You are here

V-062: Asterisk Two Denial of Service Vulnerabilities

January 4, 2013 - 6:00am

Addthis

PROBLEM:

Asterisk Two Denial of Service Vulnerabilities

PLATFORM:

The vulnerabilities are reported in versions 1.8.x, 10.x, and 11.x.

ABSTRACT:

Two vulnerabilities have been reported in Asterisk, which can be exploited by malicious users and malicious people to cause a DoS (Denial of Service).

REFERENCE LINKS:

Secunia Advisory SA51689
Asterisk Project Security Advisories
CVE-2012-5976 
CVE-2012-5977 

IMPACT ASSESSMENT:

Medium

DISCUSSION:

A remote user can send specially crafted data to consume excessive resources on the target system.  Systems configured to allow anonymous calls are affected.  A remote authenticated user can also exploit this via HTTP and XMPP.

IMPACT:

An error when handling TCP sessions can be exploited to cause a stack overflow and crash the service.

An error when handling device state caches can be exploited to consume excessive system resources.

SOLUTION:

Update to version 1.8.19.1, 10.11.1, or 11.1.1

Addthis