Vulnerabilities > CVE-2006-5445 - Remote Denial of Service vulnerability in Asterisk Chan_Sip.c
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
COMPLETE Summary
Unspecified vulnerability in the SIP channel driver (channels/chan_sip.c) in Asterisk 1.2.x before 1.2.13 and 1.4.x before 1.4.0-beta3 allows remote attackers to cause a denial of service (resource consumption) via unspecified vectors that result in the creation of "a real pvt structure" that uses more resources than necessary. This vulnerability is addressed in the following product releases: Digium, Asterisk, 1.4.0-beta2 Digium, Asterisk, 1.2.13
Vulnerable Configurations
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_ASTERISK-2272.NASL description This update fixes 2 security problem in the PBX software Asterisk. CVE-2006-5444: Integer overflow in the get_input function in the Skinny channel driver (chan_skinny.c) as used by Cisco SCCP phones, allows remote attackers to execute arbitrary code via a certain dlen value that passes a signed integer comparison and leads to a heap-based buffer overflow. CVE-2006-5445: A vulnerability in the SIP channel driver (channels/chan_sip.c) in Asterisk on SUSE Linux 10.1 allows remote attackers to cause a denial of service (resource consumption) via unspecified vectors that result in the creation of last seen 2020-06-01 modified 2020-06-02 plugin id 27156 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27156 title openSUSE 10 Security Update : asterisk (asterisk-2272) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update asterisk-2272. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(27156); script_version ("1.12"); script_cvs_date("Date: 2019/10/25 13:36:28"); script_cve_id("CVE-2006-5444", "CVE-2006-5445"); script_name(english:"openSUSE 10 Security Update : asterisk (asterisk-2272)"); script_summary(english:"Check for the asterisk-2272 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update fixes 2 security problem in the PBX software Asterisk. CVE-2006-5444: Integer overflow in the get_input function in the Skinny channel driver (chan_skinny.c) as used by Cisco SCCP phones, allows remote attackers to execute arbitrary code via a certain dlen value that passes a signed integer comparison and leads to a heap-based buffer overflow. CVE-2006-5445: A vulnerability in the SIP channel driver (channels/chan_sip.c) in Asterisk on SUSE Linux 10.1 allows remote attackers to cause a denial of service (resource consumption) via unspecified vectors that result in the creation of 'a real pvt structure' that uses more resources than necessary." ); script_set_attribute( attribute:"solution", value:"Update the affected asterisk package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:asterisk"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/11/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE10\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE10.1", reference:"asterisk-1.2.5-12.8") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "asterisk"); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200610-15.NASL description The remote host is affected by the vulnerability described in GLSA-200610-15 (Asterisk: Multiple vulnerabilities) Asterisk contains buffer overflows in channels/chan_mgcp.c from the MGCP driver and in channels/chan_skinny.c from the Skinny channel driver for Cisco SCCP phones. It also dangerously handles client-controlled variables to determine filenames in the Record() function. Finally, the SIP channel driver in channels/chan_sip.c could use more resources than necessary under unspecified circumstances. Impact : A remote attacker could execute arbitrary code by sending a crafted audit endpoint (AUEP) response, by sending an overly large Skinny packet even before authentication, or by making use of format strings specifiers through the client-controlled variables. An attacker could also cause a Denial of Service by resource consumption through the SIP channel driver. Workaround : There is no known workaround for the format strings vulnerability at this time. You can comment the lines in /etc/asterisk/mgcp.conf, /etc/asterisk/skinny.conf and /etc/asterisk/sip.conf to deactivate the three vulnerable channel drivers. Please note that the MGCP channel driver is disabled by default. last seen 2020-06-01 modified 2020-06-02 plugin id 22930 published 2006-10-31 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22930 title GLSA-200610-15 : Asterisk: Multiple vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200610-15. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(22930); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:43"); script_cve_id("CVE-2006-4345", "CVE-2006-4346", "CVE-2006-5444", "CVE-2006-5445"); script_xref(name:"GLSA", value:"200610-15"); script_name(english:"GLSA-200610-15 : Asterisk: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200610-15 (Asterisk: Multiple vulnerabilities) Asterisk contains buffer overflows in channels/chan_mgcp.c from the MGCP driver and in channels/chan_skinny.c from the Skinny channel driver for Cisco SCCP phones. It also dangerously handles client-controlled variables to determine filenames in the Record() function. Finally, the SIP channel driver in channels/chan_sip.c could use more resources than necessary under unspecified circumstances. Impact : A remote attacker could execute arbitrary code by sending a crafted audit endpoint (AUEP) response, by sending an overly large Skinny packet even before authentication, or by making use of format strings specifiers through the client-controlled variables. An attacker could also cause a Denial of Service by resource consumption through the SIP channel driver. Workaround : There is no known workaround for the format strings vulnerability at this time. You can comment the lines in /etc/asterisk/mgcp.conf, /etc/asterisk/skinny.conf and /etc/asterisk/sip.conf to deactivate the three vulnerable channel drivers. Please note that the MGCP channel driver is disabled by default." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200610-15" ); script_set_attribute( attribute:"solution", value: "All Asterisk users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-misc/asterisk-1.2.13'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:asterisk"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2006/10/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/31"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/08/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"net-misc/asterisk", unaffected:make_list("ge 1.2.13", "rge 1.0.12"), vulnerable:make_list("lt 1.2.13", "lt 1.0.12"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Asterisk"); }NASL family SuSE Local Security Checks NASL id SUSE_SA_2006_069.NASL description The remote host is missing the patch for the advisory SUSE-SA:2006:069 (asterisk). Two security problem have been found and fixed in the PBX software Asterisk. CVE-2006-5444: Integer overflow in the get_input function in the Skinny channel driver (chan_skinny.c) as used by Cisco SCCP phones, allows remote attackers to potentially execute arbitrary code via a certain dlen value that passes a signed integer comparison and leads to a heap-based buffer overflow. CVE-2006-5445: A vulnerability in the SIP channel driver (channels/chan_sip.c) in Asterisk on SUSE Linux 10.1 allows remote attackers to cause a denial of service (resource consumption) via unspecified vectors that result in the creation of last seen 2019-10-28 modified 2007-02-18 plugin id 24446 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24446 title SUSE-SA:2006:069: asterisk code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # This plugin text was extracted from SuSE Security Advisory SUSE-SA:2006:069 # if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(24446); script_version ("1.9"); name["english"] = "SUSE-SA:2006:069: asterisk"; script_name(english:name["english"]); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a vendor-supplied security patch" ); script_set_attribute(attribute:"description", value: "The remote host is missing the patch for the advisory SUSE-SA:2006:069 (asterisk). Two security problem have been found and fixed in the PBX software Asterisk. CVE-2006-5444: Integer overflow in the get_input function in the Skinny channel driver (chan_skinny.c) as used by Cisco SCCP phones, allows remote attackers to potentially execute arbitrary code via a certain dlen value that passes a signed integer comparison and leads to a heap-based buffer overflow. CVE-2006-5445: A vulnerability in the SIP channel driver (channels/chan_sip.c) in Asterisk on SUSE Linux 10.1 allows remote attackers to cause a denial of service (resource consumption) via unspecified vectors that result in the creation of 'a real pvt structure' that uses more resources than necessary." ); script_set_attribute(attribute:"solution", value: "http://www.novell.com/linux/security/advisories/2006_69_asterisk.html" ); script_set_attribute(attribute:"risk_factor", value:"High" ); script_set_attribute(attribute:"plugin_publication_date", value: "2007/02/18"); script_end_attributes(); summary["english"] = "Check for the version of the asterisk package"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); family["english"] = "SuSE Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/SuSE/rpm-list"); exit(0); } include("rpm.inc"); if ( rpm_check( reference:"asterisk-1.0.9-4.6", release:"SUSE10.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"asterisk-1.0.6-4.6", release:"SUSE9.3") ) { security_hole(0); exit(0); }
References
- http://ftp.digium.com/pub/asterisk/releases/ChangeLog-1.2.13
- http://secunia.com/advisories/22651
- http://secunia.com/advisories/22979
- http://www.asterisk.org/node/109
- http://www.asterisk.org/node/110
- http://www.gentoo.org/security/en/glsa/glsa-200610-15.xml
- http://www.novell.com/linux/security/advisories/2006_69_asterisk.html
- http://www.osvdb.org/29973
- http://www.securityfocus.com/archive/1/449183/100/0/threaded
- http://www.securityfocus.com/bid/20835
- http://www.vupen.com/english/advisories/2006/4098
- https://exchange.xforce.ibmcloud.com/vulnerabilities/29664