Vulnerabilities > CVE-2011-0495 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Digium Asterisk
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
SINGLE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Stack-based buffer overflow in the ast_uri_encode function in main/utils.c in Asterisk Open Source before 1.4.38.1, 1.4.39.1, 1.6.1.21, 1.6.2.15.1, 1.6.2.16.1, 1.8.1.2, 1.8.2.; and Business Edition before C.3.6.2; when running in pedantic mode allows remote authenticated users to execute arbitrary code via crafted caller ID data in vectors involving the (1) SIP channel driver, (2) URIENCODE dialplan function, or (3) AGI dialplan function.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2011-0794.NASL description Update to 1.6.2.16.1 to fix CVE-2011-0495. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 51864 published 2011-02-04 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/51864 title Fedora 13 : asterisk-1.6.2.16.1-1.fc13 (2011-0794) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2011-0794. # include("compat.inc"); if (description) { script_id(51864); script_version("1.12"); script_cvs_date("Date: 2019/08/02 13:32:33"); script_cve_id("CVE-2011-0495"); script_xref(name:"FEDORA", value:"2011-0794"); script_name(english:"Fedora 13 : asterisk-1.6.2.16.1-1.fc13 (2011-0794)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Update to 1.6.2.16.1 to fix CVE-2011-0495. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=670777" ); # https://lists.fedoraproject.org/pipermail/package-announce/2011-February/053713.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?3527088b" ); script_set_attribute( attribute:"solution", value:"Update the affected asterisk package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:asterisk"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:13"); script_set_attribute(attribute:"patch_publication_date", value:"2011/01/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/02/04"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^13([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 13.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC13", reference:"asterisk-1.6.2.16.1-1.fc13")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "asterisk"); }NASL family Fedora Local Security Checks NASL id FEDORA_2011-0774.NASL description Update to 1.6.2.16.1 to fix CVE-2011-0495 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 51863 published 2011-02-04 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/51863 title Fedora 14 : asterisk-1.6.2.16.1-1.fc14 (2011-0774) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2011-0774. # include("compat.inc"); if (description) { script_id(51863); script_version("1.12"); script_cvs_date("Date: 2019/08/02 13:32:33"); script_cve_id("CVE-2011-0495"); script_xref(name:"FEDORA", value:"2011-0774"); script_name(english:"Fedora 14 : asterisk-1.6.2.16.1-1.fc14 (2011-0774)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Update to 1.6.2.16.1 to fix CVE-2011-0495 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=670777" ); # https://lists.fedoraproject.org/pipermail/package-announce/2011-February/053689.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6358f93f" ); script_set_attribute( attribute:"solution", value:"Update the affected asterisk package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:asterisk"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:14"); script_set_attribute(attribute:"patch_publication_date", value:"2011/01/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/02/04"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^14([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 14.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC14", reference:"asterisk-1.6.2.16.1-1.fc14")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "asterisk"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2171.NASL description Matthew Nicholson discovered a buffer overflow in the SIP channel driver of Asterisk, an open source PBX and telephony toolkit, which could lead to the execution of arbitrary code. last seen 2020-03-17 modified 2011-02-22 plugin id 52055 published 2011-02-22 reporter This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/52055 title Debian DSA-2171-1 : asterisk - buffer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-2171. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(52055); script_version("1.16"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2011-0495"); script_bugtraq_id(45839); script_xref(name:"DSA", value:"2171"); script_name(english:"Debian DSA-2171-1 : asterisk - buffer overflow"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Matthew Nicholson discovered a buffer overflow in the SIP channel driver of Asterisk, an open source PBX and telephony toolkit, which could lead to the execution of arbitrary code." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610487" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/squeeze/asterisk" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2011/dsa-2171" ); script_set_attribute( attribute:"solution", value: "Upgrade the asterisk packages. For the oldstable distribution (lenny), this problem has been fixed in version 1.4.21.2~dfsg-3+lenny2. For the stable distribution (squeeze), this problem has been fixed in version 1.6.2.9-2+squeeze1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0"); script_set_attribute(attribute:"patch_publication_date", value:"2011/02/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/02/22"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"5.0", prefix:"asterisk", reference:"1.4.21.2~dfsg-3+lenny2")) flag++; if (deb_check(release:"6.0", prefix:"asterisk", reference:"1.6.2.9-2+squeeze1")) flag++; if (deb_check(release:"6.0", prefix:"asterisk-config", reference:"1.6.2.9-2+squeeze1")) flag++; if (deb_check(release:"6.0", prefix:"asterisk-dbg", reference:"1.6.2.9-2+squeeze1")) flag++; if (deb_check(release:"6.0", prefix:"asterisk-dev", reference:"1.6.2.9-2+squeeze1")) flag++; if (deb_check(release:"6.0", prefix:"asterisk-doc", reference:"1.6.2.9-2+squeeze1")) flag++; if (deb_check(release:"6.0", prefix:"asterisk-h323", reference:"1.6.2.9-2+squeeze1")) flag++; if (deb_check(release:"6.0", prefix:"asterisk-sounds-main", reference:"1.6.2.9-2+squeeze1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gain a shell remotely NASL id ASTERISK_AST_2011_001.NASL description Using a specially crafted caller ID string, an authenticated user placing an outgoing call through the remote Asterisk server can cause a buffer overflow leading to an application crash or execution of arbitrary code. Successful exploitation may require that the SIP channel driver is configured with the last seen 2020-06-01 modified 2020-06-02 plugin id 51644 published 2011-01-21 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/51644 title Asterisk main/utils.c ast_uri_encode() CallerID Information Overflow (AST-2011-001) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(51644); script_version("1.17"); script_cvs_date("Date: 2018/06/27 18:42:25"); script_cve_id("CVE-2011-0495"); script_bugtraq_id(45839); script_xref(name:"Secunia", value:"42935"); script_name(english:"Asterisk main/utils.c ast_uri_encode() CallerID Information Overflow (AST-2011-001)"); script_summary(english:"Checks version in SIP banner"); script_set_attribute(attribute:"synopsis", value: "A telephony application running on the remote host is affected by a buffer overflow vulnerability."); script_set_attribute(attribute:"description", value: "Using a specially crafted caller ID string, an authenticated user placing an outgoing call through the remote Asterisk server can cause a buffer overflow leading to an application crash or execution of arbitrary code. Successful exploitation may require that the SIP channel driver is configured with the 'pedantic' option enabled."); script_set_attribute(attribute:"see_also", value:"http://downloads.asterisk.org/pub/security/AST-2011-001.html"); script_set_attribute(attribute:"solution", value: "Upgrade to Asterisk 1.4.38.1 / 1.4.39.1 / 1.6.1.21 / 1.6.2.15.1 / 1.6.2.16.1 / 1.8.1.2 / 1.8.2.2, Asterisk Business Edition C.3.6.2 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/01/11"); script_set_attribute(attribute:"patch_publication_date", value:"2011/01/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/01/21"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:digium:asterisk"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Gain a shell remotely"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("asterisk_detection.nasl"); script_require_keys("asterisk/sip_detected", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); get_kb_item_or_exit("asterisk/sip_detected"); # see if we were able to get version info from the Asterisk SIP services asterisk_kbs = get_kb_list("sip/asterisk/*/version"); if (isnull(asterisk_kbs)) exit(1, "Could not obtain any version information from the Asterisk SIP instance(s)."); # Prevent potential false positives. if (report_paranoia < 2) audit(AUDIT_PARANOID); is_vuln = FALSE; not_vuln_installs = make_list(); errors = make_list(); foreach kb_name (keys(asterisk_kbs)) { vulnerable = 0; matches = eregmatch(pattern:"/(udp|tcp)/([0-9]+)/version", string:kb_name); if (isnull(matches)) { errors = make_list(errors, "Unexpected error parsing port number from kb name: "+kb_name); continue; } proto = matches[1]; port = matches[2]; version = asterisk_kbs[kb_name]; if (version == 'unknown') { errors = make_list(errors, "Unable to obtain version of install on " + proto + "/" + port); continue; } banner = get_kb_item("sip/asterisk/" + proto + "/" + port + "/source"); if (!banner) { # We have version but banner is missing; log error # and use in version-check though. errors = make_list(errors, "KB item 'sip/asterisk/" + proto + "/" + port + "/source' is missing"); banner = 'unknown'; } if (version =~ '^1\\.2([^0-9]|$)') { # No longer supported by vendor. fixed = "The 1.2 branch is no longer supported."; vulnerable = -1; } else if (version =~ '^1\\.4([^0-9]|$)') { if (version =~ '^1\\.4\\.38([^0-9]|$)') { fixed = "1.4.38.1"; vulnerable = ver_compare(ver:version, fix:fixed, app:"asterisk"); } else if (version =~ '^1\\.4\\.39([^0-9]|$)') { fixed = "1.4.39.1"; vulnerable = ver_compare(ver:version, fix:fixed, app:"asterisk"); } else { # Recommend lowest patched version in the 1.4 branch. fixed = "1.4.38.1"; vulnerable = ver_compare(ver:version, fix:"1.4.40", app:"asterisk"); } } else if (version =~ '^1\\.6([^0-9]|$)') { if (version =~ '^1\\.6\\.1([^0-9]|$)') { fixed = "1.6.1.21"; vulnerable = ver_compare(ver:version, fix:fixed, app:"asterisk"); } else if (version =~ '^1\\.6\\.2([^0-9]|$)') { if (version =~ '^1\\.6\\.2\\.15([^0-9]|$)') { fixed = "1.6.2.15.1"; vulnerable = ver_compare(ver:version, fix:fixed, app:"asterisk"); } else if (version =~ '^1\\.6\\.2\\.16([^0-9]|$)') { fixed = "1.6.2.16.1"; vulnerable = ver_compare(ver:version, fix:fixed, app:"asterisk"); } else { # Recommend lowest patched version in the 1.6.2 branch. fixed = "1.6.2.15.1"; vulnerable = ver_compare(ver:version, fix:"1.6.2.17", app:"asterisk"); } } else { # Recommend lowest patched version in the 1.6 branch. fixed = "1.6.1.21"; vulnerable = ver_compare(ver:version, fix:"1.6.3", app:"asterisk"); } } else if (version =~ '^1\\.8([^0-9]|$)') { if (version =~ '^1\\.8\\.1([^0-9]|$)') { fixed = "1.8.1.2"; vulnerable = ver_compare(ver:version, fix:fixed, app:"asterisk"); } else if (version =~ '^1\\.8\\.2([^0-9]|$)') { fixed = "1.8.2.2"; vulnerable = ver_compare(ver:version, fix:fixed, app:"asterisk"); } else { # Recommend lowest patched version in the 1.8 branch. fixed = "1.8.1.2"; vulnerable = ver_compare(ver:version, fix:"1.8.3", app:"asterisk"); } } else if (version =~ '^[A-Z]') { fixed = "C.3.6.2"; if (version[0] <= "B") { vulnerable = -1; } else if (version[0] > "C") { vulnerable = 1; } else { tmp_fixed = substr(fixed, 2); tmp_version = substr(version, 2); vulnerable = ver_compare(ver:tmp_version, fix:tmp_fixed, app:"asterisk"); } } if (vulnerable < 0) { is_vuln = TRUE; if (report_verbosity > 0) { report = '\n Version source : ' + banner + '\n Installed version : ' + version + '\n Fixed version : ' + fixed + '\n'; security_warning(port:port, proto:proto, extra:report); } else security_warning(port:port, proto:proto); } else not_vuln_installs = make_list(not_vuln_installs, version + " on port " + proto + "/" + port); } if (max_index(errors)) { if (max_index(errors) == 1) errmsg = errors[0]; else errmsg = 'Errors were encountered verifying installs : \n ' + join(errors, sep:'\n '); exit(1, errmsg); } else { installs = max_index(not_vuln_installs); if (installs == 0) { if (is_vuln) exit(0); else audit(AUDIT_NOT_INST, "Asterisk"); } else if (installs == 1) audit(AUDIT_INST_VER_NOT_VULN, "Asterisk " + not_vuln_installs[0]); else exit(0, "The Asterisk installs (" + join(not_vuln_installs, sep:", ") + ") are not affected."); }
References
- http://downloads.asterisk.org/pub/security/AST-2011-001.html
- http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.2.diff
- http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053689.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053713.html
- http://osvdb.org/70518
- http://secunia.com/advisories/42935
- http://secunia.com/advisories/43119
- http://secunia.com/advisories/43373
- http://www.debian.org/security/2011/dsa-2171
- http://www.securityfocus.com/archive/1/515781/100/0/threaded
- http://www.securityfocus.com/bid/45839
- http://www.vupen.com/english/advisories/2011/0159
- http://www.vupen.com/english/advisories/2011/0281
- http://www.vupen.com/english/advisories/2011/0449
- https://exchange.xforce.ibmcloud.com/vulnerabilities/64831