Computer Security
[EN] securityvulns.ru no-pyccku


Asterisk multiple security vulnerabilities
Published:13.03.2014
Source:
SecurityVulns ID:13599
Type:remote
Threat Level:
6/10
Description:Buffer overflow, DoS.
Affected:ASTERISK : Asterisk 12.0
CVE:CVE-2014-2289 (res/res_pjsip_exten_state.c in the PJSIP channel driver in Asterisk Open Source 12.x before 12.1.0 allows remote authenticated users to cause a denial of service (crash) via a SUBSCRIBE request without any Accept headers, which triggers an invalid pointer dereference.)
 CVE-2014-2288 (The PJSIP channel driver in Asterisk Open Source 12.x before 12.1.1, when qualify_frequency "is enabled on an AOR and the remote SIP server challenges for authentication of the resulting OPTIONS request," allows remote attackers to cause a denial of service (crash) via a PJSIP endpoint that does not have an associated outgoing request.)
 CVE-2014-2287 (channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1, and 12.1.x before 12.1.1, and Certified Asterisk 1.8.15 before 1.8.15-cert5 and 11.6 before 11.6-cert2, when chan_sip has a certain configuration, allows remote authenticated users to cause a denial of service (channel and file descriptor consumption) via an INVITE request with a (1) Session-Expires or (2) Min-SE header with a malformed or invalid value.)
 CVE-2014-2286 (main/http.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1, and 12.1.x before 12.1.1, and Certified Asterisk 1.8.x before 1.8.15-cert5 and 11.6 before 11.6-cert2, allows remote attackers to cause a denial of service (stack consumption) and possibly execute arbitrary code via an HTTP request with a large number of Cookie headers.)
Original documentdocumentASTERISK, AST-2014-004: Remote Crash Vulnerability in PJSIP Channel Driver Subscription Handling (13.03.2014)
 documentASTERISK, AST-2014-003: Remote Crash Vulnerability in PJSIP channel driver (13.03.2014)
 documentASTERISK, AST-2014-002: Denial of Service Through File Descriptor Exhaustion with chan_sip Session-Timers (13.03.2014)
 documentASTERISK, AST-2014-001: Stack Overflow in HTTP Processing of Cookie Headers. (13.03.2014)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod