#VU32780 Resource management error in Asterisk Open Source - CVE-2012-3863

Cybersecurity Help s.r.o.

Published: 2012-07-09 | Updated: 2020-07-28

Vulnerability identifier: #VU32780

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2012-3863

CWE-ID: CWE-399

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Asterisk Open Source
Server applications / Conferencing, Collaboration and VoIP solutions

Vendor: Digium (Linux Support Services)

Description

The vulnerability allows a remote #AU# to perform service disruption.

channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.13.1 and 10.x before 10.5.2, Asterisk Business Edition C.3.x before C.3.7.5, Certified Asterisk 1.8.11-certx before 1.8.11-cert4, and Asterisk Digiumphones 10.x.x-digiumphones before 10.5.2-digiumphones does not properly handle a provisional response to a SIP reINVITE request, which allows remote authenticated users to cause a denial of service (RTP port exhaustion) via sessions that lack final responses.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Asterisk Open Source: c.3.0 - c.3.7.5, 1.8.0 - 1.8.32.0, 10.5.0 - 10.5.1

External links
https://downloads.asterisk.org/pub/security/AST-2012-010.html
https://secunia.com/advisories/50687
https://secunia.com/advisories/50756
https://www.debian.org/security/2012/dsa-2550
https://www.securityfocus.com/bid/54327
https://issues.asterisk.org/jira/browse/ASTERISK-19992

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Resource management error in Asterisk

Resource management error in asterisk (Alpine package)