Vulnerabilities > CVE-2011-1175 - Unspecified vulnerability in Digium Asterisk

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
digium
nessus

Summary

tcptls.c in the TCP/TLS server in Asterisk Open Source 1.6.1.x before 1.6.1.23, 1.6.2.x before 1.6.2.17.1, and 1.8.x before 1.8.3.1 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) by establishing many short TCP sessions to services that use a certain TLS API.

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2225.NASL
    descriptionSeveral vulnerabilities have been discovered in Asterisk, an Open Source PBX and telephony toolkit. - CVE-2011-1147 Matthew Nicholson discovered that incorrect handling of UDPTL packets may lead to denial of service or the execution of arbitrary code. - CVE-2011-1174 Blake Cornell discovered that incorrect connection handling in the manager interface may lead to denial of service. - CVE-2011-1175 Blake Cornell and Chris May discovered that incorrect TCP connection handling may lead to denial of service. - CVE-2011-1507 Tzafrir Cohen discovered that insufficient limitation of connection requests in several TCP based services may lead to denial of service. Please see AST-2011-005 for details. - CVE-2011-1599 Matthew Nicholson discovered a privilege escalation vulnerability in the manager interface.
    last seen2020-03-17
    modified2011-04-27
    plugin id53558
    published2011-04-27
    reporterThis script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/53558
    titleDebian DSA-2225-1 : asterisk - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-2225. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(53558);
      script_version("1.14");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2011-1147", "CVE-2011-1174", "CVE-2011-1175", "CVE-2011-1507", "CVE-2011-1599");
      script_bugtraq_id(46474, 46897, 46898, 47537);
      script_xref(name:"DSA", value:"2225");
    
      script_name(english:"Debian DSA-2225-1 : asterisk - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities have been discovered in Asterisk, an Open
    Source PBX and telephony toolkit.
    
      - CVE-2011-1147
        Matthew Nicholson discovered that incorrect handling of
        UDPTL packets may lead to denial of service or the
        execution of arbitrary code.
    
      - CVE-2011-1174
        Blake Cornell discovered that incorrect connection
        handling in the manager interface may lead to denial of
        service.
    
      - CVE-2011-1175
        Blake Cornell and Chris May discovered that incorrect
        TCP connection handling may lead to denial of service.
    
      - CVE-2011-1507
        Tzafrir Cohen discovered that insufficient limitation of
        connection requests in several TCP based services may
        lead to denial of service. Please see AST-2011-005 for
        details.
    
      - CVE-2011-1599
        Matthew Nicholson discovered a privilege escalation
        vulnerability in the manager interface."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2011-1147"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2011-1174"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2011-1175"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2011-1507"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://downloads.asterisk.org/pub/security/AST-2011-005.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2011-1599"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/squeeze/asterisk"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2011/dsa-2225"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the asterisk packages.
    
    For the oldstable distribution (lenny), this problem has been fixed in
    version 1:1.4.21.2~dfsg-3+lenny2.1.
    
    For the stable distribution (squeeze), this problem has been fixed in
    version 1:1.6.2.9-2+squeeze2."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2011/04/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/04/27");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"5.0", prefix:"asterisk", reference:"1:1.4.21.2~dfsg-3+lenny2.1")) flag++;
    if (deb_check(release:"6.0", prefix:"asterisk", reference:"1:1.6.2.9-2+squeeze2")) flag++;
    if (deb_check(release:"6.0", prefix:"asterisk-config", reference:"1:1.6.2.9-2+squeeze2")) flag++;
    if (deb_check(release:"6.0", prefix:"asterisk-dbg", reference:"1:1.6.2.9-2+squeeze2")) flag++;
    if (deb_check(release:"6.0", prefix:"asterisk-dev", reference:"1:1.6.2.9-2+squeeze2")) flag++;
    if (deb_check(release:"6.0", prefix:"asterisk-doc", reference:"1:1.6.2.9-2+squeeze2")) flag++;
    if (deb_check(release:"6.0", prefix:"asterisk-h323", reference:"1:1.6.2.9-2+squeeze2")) flag++;
    if (deb_check(release:"6.0", prefix:"asterisk-sounds-main", reference:"1:1.6.2.9-2+squeeze2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDenial of Service
    NASL idASTERISK_AST_2011_003.NASL
    descriptionAccording to the version in its SIP banner, the version of Asterisk running on the remote host may be affected by multiple denial of service vulnerabilities : - A resource exhaustion issue exists in the Asterisk manager interface. - A NULL pointer dereference issue exists in the TCP/TLS server.
    last seen2020-06-01
    modified2020-06-02
    plugin id52714
    published2011-03-18
    reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/52714
    titleAsterisk Multiple Denial of Service Vulnerabilities (AST-2011-003 / AST-2011-004)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(52714);
      script_version("1.18");
      script_cvs_date("Date: 2018/06/27 18:42:25");
    
      script_cve_id("CVE-2011-1174", "CVE-2011-1175");
      script_bugtraq_id(46897, 46898);
      script_xref(name:"Secunia", value:"43722");
    
      script_name(english:"Asterisk Multiple Denial of Service Vulnerabilities (AST-2011-003 / AST-2011-004)");
      script_summary(english:"Checks version in SIP banner");
    
      script_set_attribute(attribute:"synopsis", value:
    "A telephony application running on the remote host is affected by
    multiple denial of service vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to the version in its SIP banner, the version of Asterisk
    running on the remote host may be affected by multiple denial of
    service vulnerabilities :
    
      - A resource exhaustion issue exists in the Asterisk
        manager interface.
    
      - A NULL pointer dereference issue exists in the
        TCP/TLS server.");
      script_set_attribute(attribute:"see_also", value:"http://downloads.asterisk.org/pub/security/AST-2011-003.html");
      script_set_attribute(attribute:"see_also", value:"http://downloads.asterisk.org/pub/security/AST-2011-004.html");
      # http://web.archive.org/web/20110823054112/http://www.asterisk.org/node/51596
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3ecf62e4");
      script_set_attribute(attribute:"solution", value:"Upgrade to Asterisk 1.6.1.24 / 1.6.2.17.2 / 1.8.3.2 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2011/03/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2011/03/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/03/18");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:digium:asterisk");
    
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Denial of Service");
    
      script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");
    
      script_dependencies("asterisk_detection.nasl");
      script_require_keys("asterisk/sip_detected", "Settings/ParanoidReport");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("asterisk/sip_detected");
    
    # see if we were able to get version info from the Asterisk SIP services
    asterisk_kbs = get_kb_list("sip/asterisk/*/version");
    if (isnull(asterisk_kbs)) exit(1, "Could not obtain any version information from the Asterisk SIP instance(s).");
    
    # Prevent potential false positives.
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    is_vuln = FALSE;
    not_vuln_installs = make_list();
    errors = make_list();
    
    foreach kb_name (keys(asterisk_kbs))
    {
      vulnerable = 0;
    
      matches = eregmatch(pattern:"/(udp|tcp)/([0-9]+)/version", string:kb_name);
      if (isnull(matches))
      {
        errors = make_list(errors, "Unexpected error parsing port number from kb name: "+kb_name);
        continue;
      }
    
      proto = matches[1];
      port  = matches[2];
      version = asterisk_kbs[kb_name];
    
      if (version == 'unknown')
      {
        errors = make_list(errors, "Unable to obtain version of install on " + proto + "/" + port);
        continue;
      }
    
      banner = get_kb_item("sip/asterisk/" + proto + "/" + port + "/source");
      if (!banner)
      {
        # We have version but banner is missing; log error
        # and use in version-check though.
        errors = make_list(errors, "KB item 'sip/asterisk/" + proto + "/" + port + "/source' is missing");
        banner = 'unknown';
      }
    
      if (version =~ '^1\\.6([^0-9]|$)')
      {
        if (version =~ '^1\\.6\\.1([^0-9]|$)')
        {
          fixed = "1.6.1.24";
          vulnerable = ver_compare(ver:version, fix:fixed, app:"asterisk");
        }
        else if (version =~ '^1\\.6\\.2([^0-9]|$)')
        {
          fixed = "1.6.2.17.2";
          if (version =~ '^1\\.6\\.2\\.17([^0-9]|$)')
            vulnerable = ver_compare(ver:version, fix:fixed, app:"asterisk");
          else
            vulnerable = ver_compare(ver:version, fix:"1.6.2.17", app:"asterisk");
        }
      }
      else if (version =~ '^1\\.8([^0-9]|$)')
      {
        fixed = "1.8.3.2";
        vulnerable = ver_compare(ver:version, fix:fixed, app:"asterisk");
      }
    
      if (vulnerable < 0)
      {
        is_vuln = TRUE;
        if (report_verbosity > 0)
        {
          report =
            '\n  Version source    : ' + banner +
            '\n  Installed version : ' + version +
            '\n  Fixed version     : ' + fixed + '\n';
          security_warning(port:port, proto:proto, extra:report);
        }
        else security_warning(port:port, proto:proto);
      }
      else not_vuln_installs = make_list(not_vuln_installs, version + " on port " + proto + "/" + port);
    }
    
    if (max_index(errors))
    {
      if (max_index(errors) == 1) errmsg = errors[0];
      else errmsg = 'Errors were encountered verifying installs : \n  ' + join(errors, sep:'\n  ');
    
      exit(1, errmsg);
    }
    else
    {
      installs = max_index(not_vuln_installs);
      if (installs == 0)
      {
        if (is_vuln)
          exit(0);
        else
          audit(AUDIT_NOT_INST, "Asterisk");
      }
      else if (installs == 1) audit(AUDIT_INST_VER_NOT_VULN, "Asterisk " + not_vuln_installs[0]);
      else exit(0, "The Asterisk installs (" + join(not_vuln_installs, sep:", ") + ") are not affected.");
    }
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201110-21.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201110-21 (Asterisk: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Asterisk. Please review the CVE identifiers referenced below for details. Impact : An unauthenticated remote attacker may execute code with the privileges of the Asterisk process or cause a Denial of Service. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id56625
    published2011-10-25
    reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/56625
    titleGLSA-201110-21 : Asterisk: Multiple vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2011-3945.NASL
    descriptionThe Asterisk Development Team has announced security releases for Asterisk branches 1.6.1, 1.6.2, and 1.8. The available security releases are released as versions 1.6.1.24, 1.6.2.17.2, and 1.8.3.2. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases ** This is a re-release of Asterisk 1.6.1.23, 1.6.2.17.1 and 1.8.3.1 which contained a bug which caused duplicate manager entries (issue #18987). The releases of Asterisk 1.6.1.24, 1.6.2.17.2, and 1.8.3.2 resolve two issues : - Resource exhaustion in Asterisk Manager Interface (AST-2011-003) - Remote crash vulnerability in TCP/TLS server (AST-2011-004) The issues and resolutions are described in the AST-2011-003 and AST-2011-004 security advisories. For more information about the details of these vulnerabilities, please read the security advisories AST-2011-003 and AST-2011-004, which were released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/r eleases/ChangeLog-1.6.1.24 http://downloads.asterisk.org/pub/telephony/asterisk/r eleases/ChangeLog-1.6.2.17.2 http://downloads.asterisk.org/pub/telephony/asterisk/r eleases/ChangeLog-1.8.3.2 Security advisory AST-2011-003 and AST-2011-004 are available at: http://downloads.asterisk.org/pub/security/AST-2011-00 3.pdf http://downloads.asterisk.org/pub/security/AST-2011-00 4.pdf Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id53243
    published2011-04-01
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/53243
    titleFedora 13 : asterisk-1.6.2.17.2-1.fc13 (2011-3945)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2011-3942.NASL
    descriptionThe Asterisk Development Team has announced security releases for Asterisk branches 1.6.1, 1.6.2, and 1.8. The available security releases are released as versions 1.6.1.24, 1.6.2.17.2, and 1.8.3.2. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases ** This is a re-release of Asterisk 1.6.1.23, 1.6.2.17.1 and 1.8.3.1 which contained a bug which caused duplicate manager entries (issue #18987). The releases of Asterisk 1.6.1.24, 1.6.2.17.2, and 1.8.3.2 resolve two issues : - Resource exhaustion in Asterisk Manager Interface (AST-2011-003) - Remote crash vulnerability in TCP/TLS server (AST-2011-004) The issues and resolutions are described in the AST-2011-003 and AST-2011-004 security advisories. For more information about the details of these vulnerabilities, please read the security advisories AST-2011-003 and AST-2011-004, which were released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/r eleases/ChangeLog-1.6.1.24 http://downloads.asterisk.org/pub/telephony/asterisk/r eleases/ChangeLog-1.6.2.17.2 http://downloads.asterisk.org/pub/telephony/asterisk/r eleases/ChangeLog-1.8.3.2 Security advisory AST-2011-003 and AST-2011-004 are available at: http://downloads.asterisk.org/pub/security/AST-2011-00 3.pdf http://downloads.asterisk.org/pub/security/AST-2011-00 4.pdf Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id53242
    published2011-04-01
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/53242
    titleFedora 14 : asterisk-1.6.2.17.2-1.fc14 (2011-3942)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2011-3958.NASL
    descriptionThe Asterisk Development Team has announced security releases for Asterisk branches 1.6.1, 1.6.2, and 1.8. The available security releases are released as versions 1.6.1.24, 1.6.2.17.2, and 1.8.3.2. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases ** This is a re-release of Asterisk 1.6.1.23, 1.6.2.17.1 and 1.8.3.1 which contained a bug which caused duplicate manager entries (issue #18987). The releases of Asterisk 1.6.1.24, 1.6.2.17.2, and 1.8.3.2 resolve two issues : - Resource exhaustion in Asterisk Manager Interface (AST-2011-003) - Remote crash vulnerability in TCP/TLS server (AST-2011-004) The issues and resolutions are described in the AST-2011-003 and AST-2011-004 security advisories. For more information about the details of these vulnerabilities, please read the security advisories AST-2011-003 and AST-2011-004, which were released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLog: http://downloads.asterisk.org/pub/telephony/asterisk/r eleases/ChangeLog-1.6.1.24 http://downloads.asterisk.org/pub/telephony/asterisk/r eleases/ChangeLog-1.6.2.17.2 http://downloads.asterisk.org/pub/telephony/asterisk/r eleases/ChangeLog-1.8.3.2 Security advisory AST-2011-003 and AST-2011-004 are available at: http://downloads.asterisk.org/pub/security/AST-2011-00 3.pdf http://downloads.asterisk.org/pub/security/AST-2011-00 4.pdf Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id53200
    published2011-03-29
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/53200
    titleFedora 15 : asterisk-1.8.3.2-1.fc15 (2011-3958)