SB2012043001 - Buffer overflow in Asterisk
Published: April 30, 2012 Updated: July 28, 2020
Security Bulletin ID
SB2012043001
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Buffer overflow (CVE-ID: CVE-2012-2416)
The vulnerability allows a remote #AU# to read and manipulate data.
chan_sip.c in the SIP channel driver in Asterisk Open Source 1.8.x before 1.8.11.1 and 10.x before 10.3.1 and Asterisk Business Edition C.3.x before C.3.7.4, when the trustrpid option is enabled, allows remote authenticated users to cause a denial of service (daemon crash) by sending a SIP UPDATE message that triggers a connected-line update attempt without an associated channel.
Remediation
Install update from vendor's website.
References
- http://downloads.asterisk.org/pub/security/AST-2012-006.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-May/079759.html
- http://osvdb.org/81456
- http://secunia.com/advisories/48891
- http://www.securityfocus.com/bid/53205
- http://www.securitytracker.com/id?1026963
- https://exchange.xforce.ibmcloud.com/vulnerabilities/75101
- https://issues.asterisk.org/jira/browse/ASTERISK-19770