Debian DSA-2493-1 : asterisk - denial of service

NASLDB: Debian DSA-2493-1 : asterisk - denial of service

General

ID: 59771
Name: Debian DSA-2493-1 : asterisk – denial of service

Summary: Checks dpkg output for the updated package

Credits: –

Classification

Risk: –

CVSS: –
CVSS Base Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSS Temporal Vector: –

Port: 0
Family: Debian Local Security Checks
Type: Local

Description

Several vulnerabilities were discovered in Asterisk, a PBX and
telephony toolkit.

– CVE-2012-2947
The IAX2 channel driver allows remote attackers to cause
a denial of service (daemon crash) by placing a call on
hold (when a certain mohinterpret setting is enabled).

– CVE-2012-2948
The Skinny channel driver allows remote authenticated
users to cause a denial of service (NULL pointer
dereference and daemon crash) by closing a connection in
off-hook mode.

In addition, it was discovered that Asterisk does not set the
alwaysauthreject option by default in the SIP channel driver. This
allows remote attackers to observe a difference in response behavior
and check for the presence of account names. (CVE-2011-2666 ) System
administrators concerned by this user enumerating vulnerability should
enable the alwaysauthreject option in the configuration. We do not
plan to change the default setting in the stable version (Asterisk
1.6) in order to preserve backwards compatibility.

Exploiting

Exploit Available: –
Exploitability Ease: –

Sources

CVE: CVE-2012-2947
OSVDB: –
Bugtraq: –
scipID: –

Timeline

Vulnerability Disclosure: –
Patch Release: 2012/06/12
Plugin Release: 2012/06/29

Plugin

Version: 1.1
Filename: debian_DSA-2493.nasl
Filesize: 4134 bytes
MD5 Hash: 68e175a68283e372173d001a201a1661

Identification: Host/local_checks_enabled
Require Keys: Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l
Dependencies: "ssh_get_info.nasl"

Letzte Plugins

Letzte Plugins

scip AG