Asterisk Multiple Vulnerabilities
Last Update Date:
24 Apr 2012 11:20
Release Date:
24 Apr 2012
5218
Views
RISK: Medium Risk
TYPE: Servers - Other Servers
Multiple vulnerabilities identified in Asterisk, which a remote authenticated user can execute arbitrary code on the target system, cause denial of service conditions, and execute arbitrary shell commands on Asterisk Manager interface.
- A remote user can send specially crafted SIP UPDATE request to cause Asterisk to perform a connected line update with no associated channel and crash.
- A remote authenticated user can send specially crafted KEYPAD_BUTTON_MESSAGE event data to trigger a heap overflow in the Skinny Channel Driver and execute arbitrary code on the target system. The code will run with the privileges of the target service.
- A remote authenticated user on the Asterisk Manager interface can bypass a security check and execute shell commands.
Impact
- Denial of Service
- Remote Code Execution
System / Technologies affected
- Asterisk Open Source version 1.6.2.x, 1.8x, 10.x
- Asterisk Business Edition version C.3.x
Solutions
Before installation of the software, please visit the software manufacturer web-site for more details.
- Asterisk Open Source - Upgrade to version 1.6.2.24,1.8.11.1, 10.3.1
- Asterisk Business Edition - Upgrade to version C.3.7.4
Vulnerability Identifier
Source
Related Link
Share with