Vulnerabilities > CVE-2012-2947 - Improper Access Control vulnerability in multiple products

CVSS 2.6 - LOW

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

PARTIAL

network

high complexity

debian

digium

CWE-284

nessus

NVD

Published: 2012-06-02

Updated: 2017-11-13

Summary

chan_iax2.c in the IAX2 channel driver in Certified Asterisk 1.8.11-cert before 1.8.11-cert2 and Asterisk Open Source 1.8.x before 1.8.12.1 and 10.x before 10.4.1, when a certain mohinterpret setting is enabled, allows remote attackers to cause a denial of service (daemon crash) by placing a call on hold.

Vulnerable Configurations

Part	Description	Count
OS	Debian Debian Debian Linux 6.0	1
Application	Digium Digium Asterisk 1.8.0 Digium Asterisk 1.8.1 Digium Asterisk 1.8.1.1 Digium Asterisk 1.8.1.2 Digium Asterisk 1.8.2 Digium Asterisk 1.8.2.1 Digium Asterisk 1.8.2.2 Digium Asterisk 1.8.2.3 Digium Asterisk 1.8.2.4 Digium Asterisk 1.8.3 Digium Asterisk 1.8.3.1 Digium Asterisk 1.8.3.2 Digium Asterisk 1.8.3.3 Digium Asterisk 1.8.4 Digium Asterisk 1.8.4.1 Digium Asterisk 1.8.4.2 Digium Asterisk 1.8.4.3 Digium Asterisk 1.8.4.4 Digium Asterisk 1.8.5 Digium Asterisk 1.8.5.0 Digium Asterisk 1.8.6.0 Digium Asterisk 1.8.7.0 Digium Asterisk 1.8.7.1 Digium Asterisk 1.8.8.0 Digium Asterisk 1.8.8.1 Digium Asterisk 1.8.8.2 Digium Asterisk 1.8.9.0 Digium Asterisk 1.8.9.1 Digium Asterisk 1.8.9.2 Digium Asterisk 1.8.9.3 Digium Asterisk 1.8.10.0 Digium Asterisk 1.8.10.1 Digium Asterisk 1.8.11.0 Digium Asterisk 1.8.11.1 Digium Asterisk 1.8.12 Digium Asterisk 1.8.12.0 Digium Asterisk 10.0.0 Digium Asterisk 10.0.1 Digium Asterisk 10.1.0 Digium Asterisk 10.1.1 Digium Asterisk 10.1.2 Digium Asterisk 10.1.3 Digium Asterisk 10.2.0 Digium Asterisk 10.2.1 Digium Asterisk 10.3.0 Digium Asterisk 10.3.1 Digium Asterisk 10.4.0 Digium Certified Asterisk 1.8.11	104

Common Weakness Enumeration (CWE)

CWE-284 - Improper Access Control

Common Attack Pattern Enumeration and Classification (CAPEC)

Embedding Scripts within Scripts
An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
Signature Spoofing by Key Theft
An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Nessus

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_PKG_359F615DA9E111E18A6614DAE9EBCF89.NASL
description	Asterisk project reports : Remote crash vulnerability in IAX2 channel driver. Skinny Channel Driver Remote Crash Vulnerability
last seen	2020-06-01
modified	2020-06-02
plugin id	59302
published	2012-05-30
reporter	This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/59302
title	FreeBSD : asterisk -- multiple vulnerabilities (359f615d-a9e1-11e1-8a66-14dae9ebcf89)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(59302); script_version("1.8"); script_cvs_date("Date: 2018/12/19 13:21:18"); script_cve_id("CVE-2012-2947", "CVE-2012-2948"); script_name(english:"FreeBSD : asterisk -- multiple vulnerabilities (359f615d-a9e1-11e1-8a66-14dae9ebcf89)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "Asterisk project reports : Remote crash vulnerability in IAX2 channel driver. Skinny Channel Driver Remote Crash Vulnerability" ); # http://downloads.digium.com/pub/security/AST-2012-007.html script_set_attribute( attribute:"see_also", value:"https://downloads.digium.com/pub/security/AST-2012-007.html" ); # http://downloads.digium.com/pub/security/AST-2012-008.html script_set_attribute( attribute:"see_also", value:"https://downloads.digium.com/pub/security/AST-2012-008.html" ); # https://www.asterisk.org/security script_set_attribute( attribute:"see_also", value:"https://www.asterisk.org/downloads/security-advisories" ); # https://vuxml.freebsd.org/freebsd/359f615d-a9e1-11e1-8a66-14dae9ebcf89.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?57bdeb4f" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:asterisk10"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:asterisk16"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:asterisk18"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/05/29"); script_set_attribute(attribute:"patch_publication_date", value:"2012/05/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/05/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"asterisk16>1.6.<=1.6.2.24")) flag++; if (pkg_test(save_report:TRUE, pkg:"asterisk18>1.8.<1.8.12.1")) flag++; if (pkg_test(save_report:TRUE, pkg:"asterisk10>10.*<10.4.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-2493.NASL
description	Several vulnerabilities were discovered in Asterisk, a PBX and telephony toolkit. - CVE-2012-2947 The IAX2 channel driver allows remote attackers to cause a denial of service (daemon crash) by placing a call on hold (when a certain mohinterpret setting is enabled). - CVE-2012-2948 The Skinny channel driver allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by closing a connection in off-hook mode. In addition, it was discovered that Asterisk does not set the alwaysauthreject option by default in the SIP channel driver. This allows remote attackers to observe a difference in response behavior and check for the presence of account names. (CVE-2011-2666 ) System administrators concerned by this user enumerating vulnerability should enable the alwaysauthreject option in the configuration. We do not plan to change the default setting in the stable version (Asterisk 1.6) in order to preserve backwards compatibility.
last seen	2020-03-17
modified	2012-06-29
plugin id	59771
published	2012-06-29
reporter	This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/59771
title	Debian DSA-2493-1 : asterisk - denial of service
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-2493. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(59771); script_version("1.11"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2012-2947", "CVE-2012-2948"); script_bugtraq_id(53722, 53723); script_xref(name:"DSA", value:"2493"); script_name(english:"Debian DSA-2493-1 : asterisk - denial of service"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities were discovered in Asterisk, a PBX and telephony toolkit. - CVE-2012-2947 The IAX2 channel driver allows remote attackers to cause a denial of service (daemon crash) by placing a call on hold (when a certain mohinterpret setting is enabled). - CVE-2012-2948 The Skinny channel driver allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by closing a connection in off-hook mode. In addition, it was discovered that Asterisk does not set the alwaysauthreject option by default in the SIP channel driver. This allows remote attackers to observe a difference in response behavior and check for the presence of account names. (CVE-2011-2666 ) System administrators concerned by this user enumerating vulnerability should enable the alwaysauthreject option in the configuration. We do not plan to change the default setting in the stable version (Asterisk 1.6) in order to preserve backwards compatibility." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675204" ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675210" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2012-2947" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2012-2948" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2011-2666" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/squeeze/asterisk" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2012/dsa-2493" ); script_set_attribute( attribute:"solution", value: "Upgrade the asterisk packages. For the stable distribution (squeeze), this problem has been fixed in version 1:1.6.2.9-2+squeeze6." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0"); script_set_attribute(attribute:"patch_publication_date", value:"2012/06/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/06/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"6.0", prefix:"asterisk", reference:"1:1.6.2.9-2+squeeze6")) flag++; if (deb_check(release:"6.0", prefix:"asterisk-config", reference:"1:1.6.2.9-2+squeeze6")) flag++; if (deb_check(release:"6.0", prefix:"asterisk-dbg", reference:"1:1.6.2.9-2+squeeze6")) flag++; if (deb_check(release:"6.0", prefix:"asterisk-dev", reference:"1:1.6.2.9-2+squeeze6")) flag++; if (deb_check(release:"6.0", prefix:"asterisk-doc", reference:"1:1.6.2.9-2+squeeze6")) flag++; if (deb_check(release:"6.0", prefix:"asterisk-h323", reference:"1:1.6.2.9-2+squeeze6")) flag++; if (deb_check(release:"6.0", prefix:"asterisk-sounds-main", reference:"1:1.6.2.9-2+squeeze6")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2012-8685.NASL
description	The Asterisk Development Team has announced the release of Asterisk 1.8.12.2. This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk The release of Asterisk 1.8.12.2 resolves an issue reported by the community and would have not been possible without your participation. Thank you! The following is the issue resolved in this release : - --- Resolve crash in subscribing for MWI notifications (Closes issue ASTERISK-19827. Reported by B. R) For a full list of changes in this release, please see the ChangeLog : http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.12. 2 The Asterisk Development Team has announced security releases for Certified Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases are released as versions 1.8.11-cert2, 1.8.12.1, and 10.4.1. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases The release of Asterisk 1.8.11-cert2, 1.8.12.1, and 10.4.1 resolve the following two issues : - A remotely exploitable crash vulnerability exists in the IAX2 channel driver if an established call is placed on hold without a suggested music class. Asterisk will attempt to use an invalid pointer to the music on hold class name, potentially causing a crash. - A remotely exploitable crash vulnerability was found in the Skinny (SCCP) Channel driver. When an SCCP client closes its connection to the server, a pointer in a structure is set to NULL. If the client was not in the on-hook state at the time the connection was closed, this pointer is later dereferenced. This allows remote authenticated connections the ability to cause a crash in the server, denying services to legitimate users. These issues and their resolution are described in the security advisories. For more information about the details of these vulnerabilities, please read security advisories AST-2012-007 and AST-2012-008, which were released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLogs : http://downloads.asterisk.org/pub/telephony/certified-asterisk/release s/ChangeLog-1.8.11-cert2 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-1.8.12.1 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-10.4.1 The security advisories are available at : - http://downloads.asterisk.org/pub/security/AST-2012-007. pdf - http://downloads.asterisk.org/pub/security/AST-2012-00 8.pdf Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-03-17
modified	2012-06-18
plugin id	59532
published	2012-06-18
reporter	This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/59532
title	Fedora 15 : asterisk-1.8.12.2-1.fc15 (2012-8685)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2012-8685. # include("compat.inc"); if (description) { script_id(59532); script_version("1.12"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2012-2947"); script_bugtraq_id(53722); script_xref(name:"FEDORA", value:"2012-8685"); script_name(english:"Fedora 15 : asterisk-1.8.12.2-1.fc15 (2012-8685)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "The Asterisk Development Team has announced the release of Asterisk 1.8.12.2. This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk The release of Asterisk 1.8.12.2 resolves an issue reported by the community and would have not been possible without your participation. Thank you! The following is the issue resolved in this release : - --- Resolve crash in subscribing for MWI notifications (Closes issue ASTERISK-19827. Reported by B. R) For a full list of changes in this release, please see the ChangeLog : http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.12. 2 The Asterisk Development Team has announced security releases for Certified Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases are released as versions 1.8.11-cert2, 1.8.12.1, and 10.4.1. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases The release of Asterisk 1.8.11-cert2, 1.8.12.1, and 10.4.1 resolve the following two issues : - A remotely exploitable crash vulnerability exists in the IAX2 channel driver if an established call is placed on hold without a suggested music class. Asterisk will attempt to use an invalid pointer to the music on hold class name, potentially causing a crash. - A remotely exploitable crash vulnerability was found in the Skinny (SCCP) Channel driver. When an SCCP client closes its connection to the server, a pointer in a structure is set to NULL. If the client was not in the on-hook state at the time the connection was closed, this pointer is later dereferenced. This allows remote authenticated connections the ability to cause a crash in the server, denying services to legitimate users. These issues and their resolution are described in the security advisories. For more information about the details of these vulnerabilities, please read security advisories AST-2012-007 and AST-2012-008, which were released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLogs : http://downloads.asterisk.org/pub/telephony/certified-asterisk/release s/ChangeLog-1.8.11-cert2 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-1.8.12.1 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-10.4.1 The security advisories are available at : - http://downloads.asterisk.org/pub/security/AST-2012-007. pdf - http://downloads.asterisk.org/pub/security/AST-2012-00 8.pdf Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"http://downloads.asterisk.org/pub/security/AST-2012-007.pdf" ); script_set_attribute( attribute:"see_also", value:"http://downloads.asterisk.org/pub/security/AST-2012-008.pdf" ); # http://downloads.asterisk.org/pub/telephony/asterisk script_set_attribute( attribute:"see_also", value:"http://downloads.asterisk.org/pub/telephony/asterisk/" ); # http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.12.2 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?3c92157b" ); # http://downloads.asterisk.org/pub/telephony/asterisk/releases script_set_attribute( attribute:"see_also", value:"http://downloads.asterisk.org/pub/telephony/asterisk/releases/" ); # http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.12.1 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?01547647" ); # http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.4.1 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?0ef88683" ); # http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.11-cert2 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?8f897510" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=826474" ); # https://lists.fedoraproject.org/pipermail/package-announce/2012-June/082336.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?df03be2f" ); script_set_attribute( attribute:"solution", value:"Update the affected asterisk package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:asterisk"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:15"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/06/02"); script_set_attribute(attribute:"patch_publication_date", value:"2012/06/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/06/18"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^15([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 15.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC15", reference:"asterisk-1.8.12.2-1.fc15")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "asterisk"); }

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2012-8692.NASL
description	The Asterisk Development Team has announced the release of Asterisk 1.8.12.2. This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk The release of Asterisk 1.8.12.2 resolves an issue reported by the community and would have not been possible without your participation. Thank you! The following is the issue resolved in this release : - --- Resolve crash in subscribing for MWI notifications (Closes issue ASTERISK-19827. Reported by B. R) For a full list of changes in this release, please see the ChangeLog : http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.12. 2 The Asterisk Development Team has announced security releases for Certified Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases are released as versions 1.8.11-cert2, 1.8.12.1, and 10.4.1. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases The release of Asterisk 1.8.11-cert2, 1.8.12.1, and 10.4.1 resolve the following two issues : - A remotely exploitable crash vulnerability exists in the IAX2 channel driver if an established call is placed on hold without a suggested music class. Asterisk will attempt to use an invalid pointer to the music on hold class name, potentially causing a crash. - A remotely exploitable crash vulnerability was found in the Skinny (SCCP) Channel driver. When an SCCP client closes its connection to the server, a pointer in a structure is set to NULL. If the client was not in the on-hook state at the time the connection was closed, this pointer is later dereferenced. This allows remote authenticated connections the ability to cause a crash in the server, denying services to legitimate users. These issues and their resolution are described in the security advisories. For more information about the details of these vulnerabilities, please read security advisories AST-2012-007 and AST-2012-008, which were released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLogs : http://downloads.asterisk.org/pub/telephony/certified-asterisk/release s/ChangeLog-1.8.11-cert2 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-1.8.12.1 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-10.4.1 The security advisories are available at : - http://downloads.asterisk.org/pub/security/AST-2012-007. pdf - http://downloads.asterisk.org/pub/security/AST-2012-00 8.pdf Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-03-17
modified	2012-06-18
plugin id	59533
published	2012-06-18
reporter	This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/59533
title	Fedora 16 : asterisk-1.8.12.2-1.fc16 (2012-8692)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2012-8692. # include("compat.inc"); if (description) { script_id(59533); script_version("1.12"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2012-2947"); script_bugtraq_id(53722); script_xref(name:"FEDORA", value:"2012-8692"); script_name(english:"Fedora 16 : asterisk-1.8.12.2-1.fc16 (2012-8692)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "The Asterisk Development Team has announced the release of Asterisk 1.8.12.2. This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk The release of Asterisk 1.8.12.2 resolves an issue reported by the community and would have not been possible without your participation. Thank you! The following is the issue resolved in this release : - --- Resolve crash in subscribing for MWI notifications (Closes issue ASTERISK-19827. Reported by B. R) For a full list of changes in this release, please see the ChangeLog : http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.12. 2 The Asterisk Development Team has announced security releases for Certified Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases are released as versions 1.8.11-cert2, 1.8.12.1, and 10.4.1. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases The release of Asterisk 1.8.11-cert2, 1.8.12.1, and 10.4.1 resolve the following two issues : - A remotely exploitable crash vulnerability exists in the IAX2 channel driver if an established call is placed on hold without a suggested music class. Asterisk will attempt to use an invalid pointer to the music on hold class name, potentially causing a crash. - A remotely exploitable crash vulnerability was found in the Skinny (SCCP) Channel driver. When an SCCP client closes its connection to the server, a pointer in a structure is set to NULL. If the client was not in the on-hook state at the time the connection was closed, this pointer is later dereferenced. This allows remote authenticated connections the ability to cause a crash in the server, denying services to legitimate users. These issues and their resolution are described in the security advisories. For more information about the details of these vulnerabilities, please read security advisories AST-2012-007 and AST-2012-008, which were released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLogs : http://downloads.asterisk.org/pub/telephony/certified-asterisk/release s/ChangeLog-1.8.11-cert2 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-1.8.12.1 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-10.4.1 The security advisories are available at : - http://downloads.asterisk.org/pub/security/AST-2012-007. pdf - http://downloads.asterisk.org/pub/security/AST-2012-00 8.pdf Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"http://downloads.asterisk.org/pub/security/AST-2012-007.pdf" ); script_set_attribute( attribute:"see_also", value:"http://downloads.asterisk.org/pub/security/AST-2012-008.pdf" ); # http://downloads.asterisk.org/pub/telephony/asterisk script_set_attribute( attribute:"see_also", value:"http://downloads.asterisk.org/pub/telephony/asterisk/" ); # http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.12.2 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?3c92157b" ); # http://downloads.asterisk.org/pub/telephony/asterisk/releases script_set_attribute( attribute:"see_also", value:"http://downloads.asterisk.org/pub/telephony/asterisk/releases/" ); # http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.12.1 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?01547647" ); # http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.4.1 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?0ef88683" ); # http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.11-cert2 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?8f897510" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=826474" ); # https://lists.fedoraproject.org/pipermail/package-announce/2012-June/082333.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?8571432e" ); script_set_attribute( attribute:"solution", value:"Update the affected asterisk package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:asterisk"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:16"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/06/02"); script_set_attribute(attribute:"patch_publication_date", value:"2012/06/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/06/18"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^16([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 16.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC16", reference:"asterisk-1.8.12.2-1.fc16")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "asterisk"); }

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2012-8670.NASL
description	he Asterisk Development Team has announced the release of Asterisk 10.4.2. This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk The release of Asterisk 10.4.2 resolves several issues reported by the community and would have not been possible without your participation. Thank you! The following are the issues resolved in this release : - --- Resolve crash in subscribing for MWI notifications (Closes issue ASTERISK-19827. Reported by B. R) - --- Fix crash in ConfBridge when user announcement is played for more than 2 users (Closes issue ASTERISK-19899. Reported by Florian Gilcher) For a full list of changes in this release, please see the ChangeLog : http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-10.4.2 The Asterisk Development Team has announced security releases for Certified Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases are released as versions 1.8.11-cert2, 1.8.12.1, and 10.4.1. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases The release of Asterisk 1.8.11-cert2, 1.8.12.1, and 10.4.1 resolve the following two issues : - A remotely exploitable crash vulnerability exists in the IAX2 channel driver if an established call is placed on hold without a suggested music class. Asterisk will attempt to use an invalid pointer to the music on hold class name, potentially causing a crash. - A remotely exploitable crash vulnerability was found in the Skinny (SCCP) Channel driver. When an SCCP client closes its connection to the server, a pointer in a structure is set to NULL. If the client was not in the on-hook state at the time the connection was closed, this pointer is later dereferenced. This allows remote authenticated connections the ability to cause a crash in the server, denying services to legitimate users. These issues and their resolution are described in the security advisories. For more information about the details of these vulnerabilities, please read security advisories AST-2012-007 and AST-2012-008, which were released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLogs : http://downloads.asterisk.org/pub/telephony/certified-asterisk/release s/ChangeLog-1.8.11-cert2 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-1.8.12.1 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-10.4.1 The security advisories are available at : - http://downloads.asterisk.org/pub/security/AST-2012-007. pdf - http://downloads.asterisk.org/pub/security/AST-2012-00 8.pdf Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-03-17
modified	2012-06-11
plugin id	59434
published	2012-06-11
reporter	This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/59434
title	Fedora 17 : asterisk-10.4.2-1.fc17 (2012-8670)

NASL family	Misc.
NASL id	ASTERISK_AST_2012_007.NASL
description	According to the version in its SIP banner, the version of Asterisk running on the remote host is potentially affected by a vulnerability that could allow a remote attacker to crash the server. This issue could be exploited when a call is put on hold and the entity placing the call on hold contains the configuration item
last seen	2020-06-01
modified	2020-06-02
plugin id	59503
published	2012-06-14
reporter	This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/59503
title	Asterisk Remote Crash Vulnerability in IAX2 Channel Driver (AST-2012-007)

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-201206-05.NASL
description	The remote host is affected by the vulnerability described in GLSA-201206-05 (Asterisk: Multiple vulnerabilities) Multiple vulnerabilities have been found in Asterisk: An error in manager.c allows shell access through the MixMonitor application, GetVar, or Status (CVE-2012-2414). An error in chan_skinny.c could cause a heap-based buffer overflow (CVE-2012-2415). An error in chan_sip.c prevents Asterisk from checking if a channel exists before connected line updates (CVE-2012-2416). An error in chan_iax2.c may cause an invalid pointer to be called (CVE-2012-2947). chan_skinny.c contains a NULL pointer dereference (CVE-2012-2948). Impact : A remote attacker could execute arbitrary code with the privileges of the process or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
last seen	2020-06-01
modified	2020-06-02
plugin id	59633
published	2012-06-21
reporter	This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/59633
title	GLSA-201206-05 : Asterisk: Multiple vulnerabilities

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

References