Vulnerabilities > CVE-2014-4048 - Denial of Service vulnerability in Asterisk PJSIP Channel Driver

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
digium
nessus

Summary

The PJSIP Channel Driver in Asterisk Open Source before 12.3.1 allows remote attackers to cause a denial of service (deadlock) by terminating a subscription request before it is complete, which triggers a SIP transaction timeout.

Vulnerable Configurations

Part Description Count
Application
Digium
784

Nessus

NASL familyMisc.
NASL idASTERISK_AST_2014_008.NASL
descriptionAccording to the version in its SIP banner, the version of Asterisk running on the remote host is potentially affected by the following denial of service vulnerabilities in the PJSIP channel driver : - A flaw exists in the publish / subscribe framework when an attempt to unsubscribe is made when not already subscribed. A remote attacker could exploit this flaw to cause a denial of service. (CVE-2014-4045) - A flaw exists when handling a SIP transaction timeout which may cause SIP traffic to not be processed. This could allow a remote, authenticated attacker subscribe to a resource in Asterisk and immediately disconnect, resulting in a denial of service. (CVE-2014-4048) Note that Nessus has not tested for these issues but has instead relied only on the application
last seen2020-06-01
modified2020-06-02
plugin id76089
published2014-06-17
reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/76089
titleAsterisk PJSIP Channel Driver Multiple DoS Vulnerabilities (AST-2014-005 / AST-2014-008)