Asterisk Multiple Vulnerabilities

Last Update Date: 24 Apr 2012 11:20 Release Date: 24 Apr 2012 5081 Views

RISK: Medium Risk

Medium Risk

TYPE: Servers - Other Servers

TYPE: Other Servers

Multiple vulnerabilities identified in Asterisk, which a remote authenticated user can execute arbitrary code on the target system, cause denial of service conditions, and execute arbitrary shell commands on Asterisk Manager interface.

  1. A remote user can send specially crafted SIP UPDATE request to cause Asterisk to perform a connected line update with no associated channel and crash.
  2. A remote authenticated user can send specially crafted KEYPAD_BUTTON_MESSAGE event data to trigger a heap overflow in the Skinny Channel Driver and execute arbitrary code on the target system. The code will run with the privileges of the target service.
  3. A remote authenticated user on the Asterisk Manager interface can bypass a security check and execute shell commands.

    4.  

Impact

  • Denial of Service
  • Remote Code Execution

System / Technologies affected

  • Asterisk Open Source version 1.6.2.x, 1.8x, 10.x
  • Asterisk Business Edition version  C.3.x

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.

  • Asterisk Open Source - Upgrade to version 1.6.2.24,1.8.11.1, 10.3.1
  • Asterisk Business Edition - Upgrade to version C.3.7.4

Vulnerability Identifier

Source

Related Link

Share with

Previous

WordPress external libraries Multiple Vulnerabilities

23 Apr 2012 5020 Views

Next

Mozilla Firefox / Thunderbird / SeaMonkey Multiple Vulnerabilities

25 Apr 2012 5066 Views

We use cookies to give you the best possible experience on our website. By continuing to browse this site, you give consent for cookies to be used. For more details please read our Cookie Policy.

PRIVACY POLICY