Vulnerabilities > CVE-2011-1174 - Resource Management Errors vulnerability in Digium Asterisk
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
manager.c in Asterisk Open Source 1.6.1.x before 1.6.1.24, 1.6.2.x before 1.6.2.17.2, and 1.8.x before 1.8.3.2 allows remote attackers to cause a denial of service (CPU and memory consumption) via a series of manager sessions involving invalid data.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2225.NASL description Several vulnerabilities have been discovered in Asterisk, an Open Source PBX and telephony toolkit. - CVE-2011-1147 Matthew Nicholson discovered that incorrect handling of UDPTL packets may lead to denial of service or the execution of arbitrary code. - CVE-2011-1174 Blake Cornell discovered that incorrect connection handling in the manager interface may lead to denial of service. - CVE-2011-1175 Blake Cornell and Chris May discovered that incorrect TCP connection handling may lead to denial of service. - CVE-2011-1507 Tzafrir Cohen discovered that insufficient limitation of connection requests in several TCP based services may lead to denial of service. Please see AST-2011-005 for details. - CVE-2011-1599 Matthew Nicholson discovered a privilege escalation vulnerability in the manager interface. last seen 2020-03-17 modified 2011-04-27 plugin id 53558 published 2011-04-27 reporter This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53558 title Debian DSA-2225-1 : asterisk - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-2225. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(53558); script_version("1.14"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2011-1147", "CVE-2011-1174", "CVE-2011-1175", "CVE-2011-1507", "CVE-2011-1599"); script_bugtraq_id(46474, 46897, 46898, 47537); script_xref(name:"DSA", value:"2225"); script_name(english:"Debian DSA-2225-1 : asterisk - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been discovered in Asterisk, an Open Source PBX and telephony toolkit. - CVE-2011-1147 Matthew Nicholson discovered that incorrect handling of UDPTL packets may lead to denial of service or the execution of arbitrary code. - CVE-2011-1174 Blake Cornell discovered that incorrect connection handling in the manager interface may lead to denial of service. - CVE-2011-1175 Blake Cornell and Chris May discovered that incorrect TCP connection handling may lead to denial of service. - CVE-2011-1507 Tzafrir Cohen discovered that insufficient limitation of connection requests in several TCP based services may lead to denial of service. Please see AST-2011-005 for details. - CVE-2011-1599 Matthew Nicholson discovered a privilege escalation vulnerability in the manager interface." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2011-1147" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2011-1174" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2011-1175" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2011-1507" ); script_set_attribute( attribute:"see_also", value:"http://downloads.asterisk.org/pub/security/AST-2011-005.html" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2011-1599" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/squeeze/asterisk" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2011/dsa-2225" ); script_set_attribute( attribute:"solution", value: "Upgrade the asterisk packages. For the oldstable distribution (lenny), this problem has been fixed in version 1:1.4.21.2~dfsg-3+lenny2.1. For the stable distribution (squeeze), this problem has been fixed in version 1:1.6.2.9-2+squeeze2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0"); script_set_attribute(attribute:"patch_publication_date", value:"2011/04/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/04/27"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"5.0", prefix:"asterisk", reference:"1:1.4.21.2~dfsg-3+lenny2.1")) flag++; if (deb_check(release:"6.0", prefix:"asterisk", reference:"1:1.6.2.9-2+squeeze2")) flag++; if (deb_check(release:"6.0", prefix:"asterisk-config", reference:"1:1.6.2.9-2+squeeze2")) flag++; if (deb_check(release:"6.0", prefix:"asterisk-dbg", reference:"1:1.6.2.9-2+squeeze2")) flag++; if (deb_check(release:"6.0", prefix:"asterisk-dev", reference:"1:1.6.2.9-2+squeeze2")) flag++; if (deb_check(release:"6.0", prefix:"asterisk-doc", reference:"1:1.6.2.9-2+squeeze2")) flag++; if (deb_check(release:"6.0", prefix:"asterisk-h323", reference:"1:1.6.2.9-2+squeeze2")) flag++; if (deb_check(release:"6.0", prefix:"asterisk-sounds-main", reference:"1:1.6.2.9-2+squeeze2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Denial of Service NASL id ASTERISK_AST_2011_003.NASL description According to the version in its SIP banner, the version of Asterisk running on the remote host may be affected by multiple denial of service vulnerabilities : - A resource exhaustion issue exists in the Asterisk manager interface. - A NULL pointer dereference issue exists in the TCP/TLS server. last seen 2020-06-01 modified 2020-06-02 plugin id 52714 published 2011-03-18 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/52714 title Asterisk Multiple Denial of Service Vulnerabilities (AST-2011-003 / AST-2011-004) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(52714); script_version("1.18"); script_cvs_date("Date: 2018/06/27 18:42:25"); script_cve_id("CVE-2011-1174", "CVE-2011-1175"); script_bugtraq_id(46897, 46898); script_xref(name:"Secunia", value:"43722"); script_name(english:"Asterisk Multiple Denial of Service Vulnerabilities (AST-2011-003 / AST-2011-004)"); script_summary(english:"Checks version in SIP banner"); script_set_attribute(attribute:"synopsis", value: "A telephony application running on the remote host is affected by multiple denial of service vulnerabilities."); script_set_attribute(attribute:"description", value: "According to the version in its SIP banner, the version of Asterisk running on the remote host may be affected by multiple denial of service vulnerabilities : - A resource exhaustion issue exists in the Asterisk manager interface. - A NULL pointer dereference issue exists in the TCP/TLS server."); script_set_attribute(attribute:"see_also", value:"http://downloads.asterisk.org/pub/security/AST-2011-003.html"); script_set_attribute(attribute:"see_also", value:"http://downloads.asterisk.org/pub/security/AST-2011-004.html"); # http://web.archive.org/web/20110823054112/http://www.asterisk.org/node/51596 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3ecf62e4"); script_set_attribute(attribute:"solution", value:"Upgrade to Asterisk 1.6.1.24 / 1.6.2.17.2 / 1.8.3.2 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/03/16"); script_set_attribute(attribute:"patch_publication_date", value:"2011/03/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/03/18"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:digium:asterisk"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Denial of Service"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("asterisk_detection.nasl"); script_require_keys("asterisk/sip_detected", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); get_kb_item_or_exit("asterisk/sip_detected"); # see if we were able to get version info from the Asterisk SIP services asterisk_kbs = get_kb_list("sip/asterisk/*/version"); if (isnull(asterisk_kbs)) exit(1, "Could not obtain any version information from the Asterisk SIP instance(s)."); # Prevent potential false positives. if (report_paranoia < 2) audit(AUDIT_PARANOID); is_vuln = FALSE; not_vuln_installs = make_list(); errors = make_list(); foreach kb_name (keys(asterisk_kbs)) { vulnerable = 0; matches = eregmatch(pattern:"/(udp|tcp)/([0-9]+)/version", string:kb_name); if (isnull(matches)) { errors = make_list(errors, "Unexpected error parsing port number from kb name: "+kb_name); continue; } proto = matches[1]; port = matches[2]; version = asterisk_kbs[kb_name]; if (version == 'unknown') { errors = make_list(errors, "Unable to obtain version of install on " + proto + "/" + port); continue; } banner = get_kb_item("sip/asterisk/" + proto + "/" + port + "/source"); if (!banner) { # We have version but banner is missing; log error # and use in version-check though. errors = make_list(errors, "KB item 'sip/asterisk/" + proto + "/" + port + "/source' is missing"); banner = 'unknown'; } if (version =~ '^1\\.6([^0-9]|$)') { if (version =~ '^1\\.6\\.1([^0-9]|$)') { fixed = "1.6.1.24"; vulnerable = ver_compare(ver:version, fix:fixed, app:"asterisk"); } else if (version =~ '^1\\.6\\.2([^0-9]|$)') { fixed = "1.6.2.17.2"; if (version =~ '^1\\.6\\.2\\.17([^0-9]|$)') vulnerable = ver_compare(ver:version, fix:fixed, app:"asterisk"); else vulnerable = ver_compare(ver:version, fix:"1.6.2.17", app:"asterisk"); } } else if (version =~ '^1\\.8([^0-9]|$)') { fixed = "1.8.3.2"; vulnerable = ver_compare(ver:version, fix:fixed, app:"asterisk"); } if (vulnerable < 0) { is_vuln = TRUE; if (report_verbosity > 0) { report = '\n Version source : ' + banner + '\n Installed version : ' + version + '\n Fixed version : ' + fixed + '\n'; security_warning(port:port, proto:proto, extra:report); } else security_warning(port:port, proto:proto); } else not_vuln_installs = make_list(not_vuln_installs, version + " on port " + proto + "/" + port); } if (max_index(errors)) { if (max_index(errors) == 1) errmsg = errors[0]; else errmsg = 'Errors were encountered verifying installs : \n ' + join(errors, sep:'\n '); exit(1, errmsg); } else { installs = max_index(not_vuln_installs); if (installs == 0) { if (is_vuln) exit(0); else audit(AUDIT_NOT_INST, "Asterisk"); } else if (installs == 1) audit(AUDIT_INST_VER_NOT_VULN, "Asterisk " + not_vuln_installs[0]); else exit(0, "The Asterisk installs (" + join(not_vuln_installs, sep:", ") + ") are not affected."); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201110-21.NASL description The remote host is affected by the vulnerability described in GLSA-201110-21 (Asterisk: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Asterisk. Please review the CVE identifiers referenced below for details. Impact : An unauthenticated remote attacker may execute code with the privileges of the Asterisk process or cause a Denial of Service. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 56625 published 2011-10-25 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56625 title GLSA-201110-21 : Asterisk: Multiple vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2011-3945.NASL description The Asterisk Development Team has announced security releases for Asterisk branches 1.6.1, 1.6.2, and 1.8. The available security releases are released as versions 1.6.1.24, 1.6.2.17.2, and 1.8.3.2. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases ** This is a re-release of Asterisk 1.6.1.23, 1.6.2.17.1 and 1.8.3.1 which contained a bug which caused duplicate manager entries (issue #18987). The releases of Asterisk 1.6.1.24, 1.6.2.17.2, and 1.8.3.2 resolve two issues : - Resource exhaustion in Asterisk Manager Interface (AST-2011-003) - Remote crash vulnerability in TCP/TLS server (AST-2011-004) The issues and resolutions are described in the AST-2011-003 and AST-2011-004 security advisories. For more information about the details of these vulnerabilities, please read the security advisories AST-2011-003 and AST-2011-004, which were released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/r eleases/ChangeLog-1.6.1.24 http://downloads.asterisk.org/pub/telephony/asterisk/r eleases/ChangeLog-1.6.2.17.2 http://downloads.asterisk.org/pub/telephony/asterisk/r eleases/ChangeLog-1.8.3.2 Security advisory AST-2011-003 and AST-2011-004 are available at: http://downloads.asterisk.org/pub/security/AST-2011-00 3.pdf http://downloads.asterisk.org/pub/security/AST-2011-00 4.pdf Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 53243 published 2011-04-01 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53243 title Fedora 13 : asterisk-1.6.2.17.2-1.fc13 (2011-3945) NASL family Fedora Local Security Checks NASL id FEDORA_2011-3942.NASL description The Asterisk Development Team has announced security releases for Asterisk branches 1.6.1, 1.6.2, and 1.8. The available security releases are released as versions 1.6.1.24, 1.6.2.17.2, and 1.8.3.2. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases ** This is a re-release of Asterisk 1.6.1.23, 1.6.2.17.1 and 1.8.3.1 which contained a bug which caused duplicate manager entries (issue #18987). The releases of Asterisk 1.6.1.24, 1.6.2.17.2, and 1.8.3.2 resolve two issues : - Resource exhaustion in Asterisk Manager Interface (AST-2011-003) - Remote crash vulnerability in TCP/TLS server (AST-2011-004) The issues and resolutions are described in the AST-2011-003 and AST-2011-004 security advisories. For more information about the details of these vulnerabilities, please read the security advisories AST-2011-003 and AST-2011-004, which were released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/r eleases/ChangeLog-1.6.1.24 http://downloads.asterisk.org/pub/telephony/asterisk/r eleases/ChangeLog-1.6.2.17.2 http://downloads.asterisk.org/pub/telephony/asterisk/r eleases/ChangeLog-1.8.3.2 Security advisory AST-2011-003 and AST-2011-004 are available at: http://downloads.asterisk.org/pub/security/AST-2011-00 3.pdf http://downloads.asterisk.org/pub/security/AST-2011-00 4.pdf Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 53242 published 2011-04-01 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53242 title Fedora 14 : asterisk-1.6.2.17.2-1.fc14 (2011-3942) NASL family Fedora Local Security Checks NASL id FEDORA_2011-3958.NASL description The Asterisk Development Team has announced security releases for Asterisk branches 1.6.1, 1.6.2, and 1.8. The available security releases are released as versions 1.6.1.24, 1.6.2.17.2, and 1.8.3.2. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases ** This is a re-release of Asterisk 1.6.1.23, 1.6.2.17.1 and 1.8.3.1 which contained a bug which caused duplicate manager entries (issue #18987). The releases of Asterisk 1.6.1.24, 1.6.2.17.2, and 1.8.3.2 resolve two issues : - Resource exhaustion in Asterisk Manager Interface (AST-2011-003) - Remote crash vulnerability in TCP/TLS server (AST-2011-004) The issues and resolutions are described in the AST-2011-003 and AST-2011-004 security advisories. For more information about the details of these vulnerabilities, please read the security advisories AST-2011-003 and AST-2011-004, which were released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/r eleases/ChangeLog-1.6.1.24 http://downloads.asterisk.org/pub/telephony/asterisk/r eleases/ChangeLog-1.6.2.17.2 http://downloads.asterisk.org/pub/telephony/asterisk/r eleases/ChangeLog-1.8.3.2 Security advisory AST-2011-003 and AST-2011-004 are available at: http://downloads.asterisk.org/pub/security/AST-2011-00 3.pdf http://downloads.asterisk.org/pub/security/AST-2011-00 4.pdf Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 53200 published 2011-03-29 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53200 title Fedora 15 : asterisk-1.8.3.2-1.fc15 (2011-3958)
References
- http://downloads.asterisk.org/pub/security/AST-2011-003.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-March/056945.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-March/057156.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-March/057163.html
- http://openwall.com/lists/oss-security/2011/03/17/5
- http://openwall.com/lists/oss-security/2011/03/21/12
- http://securitytracker.com/id?1025223
- http://www.debian.org/security/2011/dsa-2225
- http://www.securityfocus.com/bid/46897
- http://www.vupen.com/english/advisories/2011/0686
- http://www.vupen.com/english/advisories/2011/0790
- https://bugzilla.redhat.com/show_bug.cgi?id=688675
- https://exchange.xforce.ibmcloud.com/vulnerabilities/66139