Vulnerabilities > CVE-2014-4045 - Numeric Errors vulnerability in Digium Asterisk

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
digium
CWE-189
nessus
NVD
Published: 2014-06-17
Updated: 2024-11-21

Summary

The Publish/Subscribe Framework in the PJSIP channel driver in Asterisk Open Source 12.x before 12.3.1, when sub_min_expiry is set to zero, allows remote attackers to cause a denial of service (assertion failure and crash) via an unsubscribe request when not subscribed to the device.

Vulnerable Configurations

Part Description Count
Application
Digium
13

Common Weakness Enumeration (CWE)

Nessus

NASL familyMisc.
NASL idASTERISK_AST_2014_008.NASL
descriptionAccording to the version in its SIP banner, the version of Asterisk running on the remote host is potentially affected by the following denial of service vulnerabilities in the PJSIP channel driver : - A flaw exists in the publish / subscribe framework when an attempt to unsubscribe is made when not already subscribed. A remote attacker could exploit this flaw to cause a denial of service. (CVE-2014-4045) - A flaw exists when handling a SIP transaction timeout which may cause SIP traffic to not be processed. This could allow a remote, authenticated attacker subscribe to a resource in Asterisk and immediately disconnect, resulting in a denial of service. (CVE-2014-4048) Note that Nessus has not tested for these issues but has instead relied only on the application
last seen2020-06-01
modified2020-06-02
plugin id76089
published2014-06-17
reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/76089
titleAsterisk PJSIP Channel Driver Multiple DoS Vulnerabilities (AST-2014-005 / AST-2014-008)

References