#VU32783 Resource management error in Asterisk Open Source - CVE-2012-3812
Vulnerability identifier: #VU32783
Vulnerability risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-399
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Asterisk Open Source
Server applications /
Conferencing, Collaboration and VoIP solutions
Vendor: Digium (Linux Support Services)
Description
The vulnerability allows a remote #AU# to perform service disruption.
Double free vulnerability in apps/app_voicemail.c in Asterisk Open Source 1.8.x before 1.8.13.1 and 10.x before 10.5.2, Certified Asterisk 1.8.11-certx before 1.8.11-cert4, and Asterisk Digiumphones 10.x.x-digiumphones before 10.5.2-digiumphones allows remote authenticated users to cause a denial of service (daemon crash) by establishing multiple voicemail sessions and accessing both the Urgent mailbox and the INBOX mailbox.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Asterisk Open Source: 1.8.0 - 1.8.32.0, 10.5.0 - 10.5.1
External links
https://downloads.asterisk.org/pub/security/AST-2012-011.html
https://secunia.com/advisories/50687
https://secunia.com/advisories/50756
https://www.debian.org/security/2012/dsa-2550
https://www.securityfocus.com/bid/54317
https://issues.asterisk.org/jira/browse/ASTERISK-20052
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
