Vulnerabilities > CVE-2012-3812 - Resource Management Errors vulnerability in Digium Asterisk, Asteriske and Certified Asterisk
Attack vector
NETWORK Attack complexity
LOW Privileges required
SINGLE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
Double free vulnerability in apps/app_voicemail.c in Asterisk Open Source 1.8.x before 1.8.13.1 and 10.x before 10.5.2, Certified Asterisk 1.8.11-certx before 1.8.11-cert4, and Asterisk Digiumphones 10.x.x-digiumphones before 10.5.2-digiumphones allows remote authenticated users to cause a denial of service (daemon crash) by establishing multiple voicemail sessions and accessing both the Urgent mailbox and the INBOX mailbox.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Misc. NASL id ASTERISK_AST_2012_011.NASL description According to the version in its SIP banner, the version of Asterisk running on the remote host is potentially affected by a vulnerability that could allow a remote, authenticated attacker to crash the server. If two remote users interact with a single voicemail account in unspecified ways, memory can be corrupted by a double-free vulnerability and this can further lead to application crashes. last seen 2020-06-01 modified 2020-06-02 plugin id 60065 published 2012-07-19 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/60065 title Asterisk Multiple Caller Simultaneous Voicemail Account Manipulation Double-free Remote DoS (AST-2012-011) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(60065); script_version("1.10"); script_cvs_date("Date: 2018/06/27 18:42:26"); script_cve_id("CVE-2012-3812"); script_bugtraq_id(54317); script_name(english:"Asterisk Multiple Caller Simultaneous Voicemail Account Manipulation Double-free Remote DoS (AST-2012-011)"); script_summary(english:"Checks version in SIP banner"); script_set_attribute(attribute:"synopsis", value: "A telephony application running on the remote host is affected by a denial of service vulnerability."); script_set_attribute(attribute:"description", value: "According to the version in its SIP banner, the version of Asterisk running on the remote host is potentially affected by a vulnerability that could allow a remote, authenticated attacker to crash the server. If two remote users interact with a single voicemail account in unspecified ways, memory can be corrupted by a double-free vulnerability and this can further lead to application crashes."); script_set_attribute(attribute:"solution", value: "Upgrade to Asterisk 1.8.13.1 / 10.5.2, Certified Asterisk 1.8.11-cert4 or apply the patches listed in the Asterisk advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"see_also", value:"http://downloads.asterisk.org/pub/security/AST-2012-011.html"); script_set_attribute(attribute:"see_also", value:"https://issues.asterisk.org/jira/browse/ASTERISK-20052"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/06/27"); script_set_attribute(attribute:"patch_publication_date", value:"2012/06/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/07/19"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:digium:asterisk"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc."); script_dependencies("asterisk_detection.nasl"); script_require_keys("asterisk/sip_detected", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); get_kb_item_or_exit("asterisk/sip_detected"); # see if we were able to get version info from the Asterisk SIP services asterisk_kbs = get_kb_list("sip/asterisk/*/version"); if (isnull(asterisk_kbs)) exit(1, "Could not obtain any version information from the Asterisk SIP instance(s)."); # Prevent potential false positives. if (report_paranoia < 2) audit(AUDIT_PARANOID); is_vuln = FALSE; not_vuln_installs = make_list(); errors = make_list(); foreach kb_name (keys(asterisk_kbs)) { vulnerable = 0; matches = eregmatch(pattern:"/(udp|tcp)/([0-9]+)/version", string:kb_name); if (isnull(matches)) { errors = make_list(errors, "Unexpected error parsing port number from kb name: "+kb_name); continue; } proto = matches[1]; port = matches[2]; version = asterisk_kbs[kb_name]; if (version == 'unknown') { errors = make_list(errors, "Unable to obtain version of install on " + proto + "/" + port); continue; } banner = get_kb_item("sip/asterisk/" + proto + "/" + port + "/source"); if (!banner) { # We have version but banner is missing; log error # and use in version-check though. errors = make_list(errors, "KB item 'sip/asterisk/" + proto + "/" + port + "/source' is missing"); banner = 'unknown'; } # Open Source 10x < 10.5.2 if (version =~ "^10([^0-9]|$)" && "cert" >!< tolower(version)) { fixed = "10.5.2"; vulnerable = ver_compare(ver:version, fix:fixed, app:"asterisk"); } # Open Source 1.8.x < 1.8.13.1 if (version =~ "^1\.8([^0-9]|$)" && "cert" >!< tolower(version)) { fixed = "1.8.13.1"; vulnerable = ver_compare(ver:version, fix:fixed, app:"asterisk"); } # Asterisk Certified 1.8.11-certx < 1.8.11-cert4 if (version =~ "^1\.8\.11([^0-9]|$)" && "cert" >< tolower(version)) { fixed = "1.8.11-cert4"; vulnerable = ver_compare(ver:version, fix:fixed, app:"asterisk"); } if (vulnerable < 0) { is_vuln = TRUE; if (report_verbosity > 0) { report = '\n Version source : ' + banner + '\n Installed version : ' + version + '\n Fixed version : ' + fixed + '\n'; security_warning(port:port, proto:proto, extra:report); } else security_warning(port:port, proto:proto); } else not_vuln_installs = make_list(not_vuln_installs, version + " on port " + proto + "/" + port); } if (max_index(errors)) { if (max_index(errors) == 1) errmsg = errors[0]; else errmsg = 'Errors were encountered verifying installs : \n ' + join(errors, sep:'\n '); exit(1, errmsg); } else { installs = max_index(not_vuln_installs); if (installs == 0) { if (is_vuln) exit(0); else audit(AUDIT_NOT_INST, "Asterisk"); } else if (installs == 1) audit(AUDIT_INST_VER_NOT_VULN, "Asterisk " + not_vuln_installs[0]); else exit(0, "The Asterisk installs (" + join(not_vuln_installs, sep:", ") + ") are not affected."); }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_4C1AC2DDC78811E1BE2514DAE9EBCF89.NASL description Asterisk project reports : Possible resource leak on uncompleted re-invite transactions. Remote crash vulnerability in voice mail application. last seen 2020-06-01 modified 2020-06-02 plugin id 59859 published 2012-07-07 reporter This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/59859 title FreeBSD : asterisk -- multiple vulnerabilities (4c1ac2dd-c788-11e1-be25-14dae9ebcf89) NASL family Fedora Local Security Checks NASL id FEDORA_2012-10324.NASL description The Asterisk Development Team has announced security releases for Certified Asterisk 1.8.11 and Asterisk 1.8 and 10. The available security releases are released as versions 1.8.11-cert4, 1.8.13.1, 10.5.2, and 10.5.2-digiumphones. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases The release of Asterisk 1.8.11-cert4, 1.8.13.1, 10.5.2, and 10.5.2-digiumphones resolve the following two issues : - If Asterisk sends a re-invite and an endpoint responds to the re-invite with a provisional response but never sends a final response, then the SIP dialog structure is never freed and the RTP ports for the call are never released. If an attacker has the ability to place a call, they could create a denial of service by using all available RTP ports. - If a single voicemail account is manipulated by two parties simultaneously, a condition can occur where memory is freed twice causing a crash. These issues and their resolution are described in the security advisories. For more information about the details of these vulnerabilities, please read security advisories AST-2012-010 and AST-2012-011, which were released at the same time as this announcement. For a full list of changes in the current releases, please see the ChangeLogs : http://downloads.asterisk.org/pub/telephony/certified-asterisk/release s/ChangeLog-1.8.11-cert4 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-1.8.13.1 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-10.5.2 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-10.5.2-digiumphones The security advisories are available at : - http://downloads.asterisk.org/pub/security/AST-2012-010. pdf - http://downloads.asterisk.org/pub/security/AST-2012-01 1.pdf Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2012-07-20 plugin id 60069 published 2012-07-20 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60069 title Fedora 17 : asterisk-10.5.2-1.fc17 (2012-10324) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201209-15.NASL description The remote host is affected by the vulnerability described in GLSA-201209-15 (Asterisk: Multiple vulnerabilities) Multiple vulnerabilities have been found in Asterisk: An error in manager.c allows shell access (CVE-2012-2186). An error in Asterisk could cause all RTP ports to be exhausted (CVE-2012-3812). A double-free error could occur when two parties attempt to manipulate the same voicemail account simultaneously (CVE-2012-3863). Asterisk does not properly implement certain ACL rules (CVE-2012-4737). Impact : A remote, authenticated attacker could execute arbitrary code with the privileges of the process, cause a Denial of Service condition, or bypass outbound call restrictions. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 62344 published 2012-09-27 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62344 title GLSA-201209-15 : Asterisk: Multiple vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2550.NASL description Several vulnerabilities were discovered in Asterisk, a PBX and telephony toolkit, allowing privilege escalation in the Asterisk Manager, denial of service or privilege escalation. More detailed information can be found in the Asterisk advisories: AST-2012-010, AST-2012-011, AST-2012-012, and AST-2012-013. last seen 2020-03-17 modified 2012-09-19 plugin id 62188 published 2012-09-19 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/62188 title Debian DSA-2550-2 : asterisk - several vulnerabilities