Buffer overflow in Asterisk Open Source - CVE-2012-2416
Published: April 30, 2012 / Updated: July 28, 2020
Vulnerability identifier: #VU32791
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2012-2416
CWE-ID: CWE-119
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Digium (Linux Support Services)
Affected software:
Asterisk Open Source
Asterisk Open Source
Detailed vulnerability description
The vulnerability allows a remote #AU# to read and manipulate data.
chan_sip.c in the SIP channel driver in Asterisk Open Source 1.8.x before 1.8.11.1 and 10.x before 10.3.1 and Asterisk Business Edition C.3.x before C.3.7.4, when the trustrpid option is enabled, allows remote authenticated users to cause a denial of service (daemon crash) by sending a SIP UPDATE message that triggers a connected-line update attempt without an associated channel.
How to mitigate CVE-2012-2416
Install update from vendor's website.
Sources
- http://downloads.asterisk.org/pub/security/AST-2012-006.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-May/079759.html
- http://osvdb.org/81456
- http://secunia.com/advisories/48891
- http://www.securityfocus.com/bid/53205
- http://www.securitytracker.com/id?1026963
- https://exchange.xforce.ibmcloud.com/vulnerabilities/75101
- https://issues.asterisk.org/jira/browse/ASTERISK-19770