Skip to main content

Asterisk Multiple Vulnerabilities

Last Update Date: 24 Apr 2012 11:20 Release Date: 24 Apr 2012 5218 Views

RISK: Medium Risk

TYPE: Servers - Other Servers

TYPE: Other Servers

Multiple vulnerabilities identified in Asterisk, which a remote authenticated user can execute arbitrary code on the target system, cause denial of service conditions, and execute arbitrary shell commands on Asterisk Manager interface.

  1. A remote user can send specially crafted SIP UPDATE request to cause Asterisk to perform a connected line update with no associated channel and crash.
  2. A remote authenticated user can send specially crafted KEYPAD_BUTTON_MESSAGE event data to trigger a heap overflow in the Skinny Channel Driver and execute arbitrary code on the target system. The code will run with the privileges of the target service.
  3. A remote authenticated user on the Asterisk Manager interface can bypass a security check and execute shell commands.
  4.  


Impact

  • Denial of Service
  • Remote Code Execution

System / Technologies affected

  • Asterisk Open Source version 1.6.2.x, 1.8x, 10.x
  • Asterisk Business Edition version  C.3.x

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.

  • Asterisk Open Source - Upgrade to version 1.6.2.24,1.8.11.1, 10.3.1
  • Asterisk Business Edition - Upgrade to version C.3.7.4

Vulnerability Identifier


Source


Related Link