Debian Local Security Checks : Debian Security Advisory DSA 2493-1 (asterisk)

Anfälligkeitssuche		Suche in 219043 CVE Beschreibungen und 99761 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.71471

Kategorie: Debian Local Security Checks

Titel: Debian Security Advisory DSA 2493-1 (asterisk)

Zusammenfassung: The remote host is missing an update to asterisk;announced via advisory DSA 2493-1.

Beschreibung: Summary:
The remote host is missing an update to asterisk
announced via advisory DSA 2493-1.

Vulnerability Insight:
Several vulnerabilities were discovered in Asterisk, a PBX and
telephony toolkit.

CVE-2012-2947
The IAX2 channel driver allows remote attackers to cause a
denial of service (daemon crash) by placing a call on hold
(when a certain mohinterpret setting is enabled).

CVE-2012-2948
The Skinny channel driver allows remote authenticated users to
cause a denial of service (NULL pointer dereference and daemon
crash) by closing a connection in off-hook mode.

In addition, it was discovered that Asterisk does not set the
alwaysauthreject option by default in the SIP channel driver. This
allows remote attackers to observe a difference in response behavior
and check for the presence of account names. (CVE-2011-2666) System
administrators concerned by this user enumerating vulnerability should
enable the alwaysauthreject option in the configuration. We do not
plan to change the default setting in the stable version
(Asterisk 1.6) in order to preserve backwards compatibility.

For the stable distribution (squeeze), this problem has been fixed in
version 1:1.6.2.9-2+squeeze6.

For the testing distribution (wheezy) and the unstable distribution
(sid), this problem has been fixed in version 1:1.8.13.0~
dfsg-1.

Solution:
We recommend that you upgrade your asterisk packages.

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2012-2947
Bugtraq: 20120529 AST-2012-007: Remote crash vulnerability in IAX2 channel driver. (Google Search)
http://archives.neohapsis.com/archives/bugtraq/2012-05/0144.html
Debian Security Information: DSA-2493 (Google Search)
http://www.debian.org/security/2012/dsa-2493
http://www.securitytracker.com/id?1027102
http://secunia.com/advisories/49303
Common Vulnerability Exposure (CVE) ID: CVE-2012-2948
BugTraq ID: 53723
http://www.securityfocus.com/bid/53723
Bugtraq: 20120529 AST-2012-008: Skinny Channel Driver Remote Crash Vulnerability (Google Search)
http://archives.neohapsis.com/archives/bugtraq/2012-05/0145.html
http://www.securitytracker.com/id?1027103
XForce ISS Database: asterisk-scd-dos(75937)
https://exchange.xforce.ibmcloud.com/vulnerabilities/75937
Common Vulnerability Exposure (CVE) ID: CVE-2011-2666
XForce ISS Database: asterisk-sip-channel-info-disclosure(68472)
https://exchange.xforce.ibmcloud.com/vulnerabilities/68472

Copyright Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com

Dies ist nur einer von 99761 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.71471
Kategorie:	Debian Local Security Checks
Titel:	Debian Security Advisory DSA 2493-1 (asterisk)
Zusammenfassung:	The remote host is missing an update to asterisk;announced via advisory DSA 2493-1.
Beschreibung:	Summary: The remote host is missing an update to asterisk announced via advisory DSA 2493-1. Vulnerability Insight: Several vulnerabilities were discovered in Asterisk, a PBX and telephony toolkit. CVE-2012-2947 The IAX2 channel driver allows remote attackers to cause a denial of service (daemon crash) by placing a call on hold (when a certain mohinterpret setting is enabled). CVE-2012-2948 The Skinny channel driver allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by closing a connection in off-hook mode. In addition, it was discovered that Asterisk does not set the alwaysauthreject option by default in the SIP channel driver. This allows remote attackers to observe a difference in response behavior and check for the presence of account names. (CVE-2011-2666) System administrators concerned by this user enumerating vulnerability should enable the alwaysauthreject option in the configuration. We do not plan to change the default setting in the stable version (Asterisk 1.6) in order to preserve backwards compatibility. For the stable distribution (squeeze), this problem has been fixed in version 1:1.6.2.9-2+squeeze6. For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 1:1.8.13.0~ dfsg-1. Solution: We recommend that you upgrade your asterisk packages. CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2012-2947 Bugtraq: 20120529 AST-2012-007: Remote crash vulnerability in IAX2 channel driver. (Google Search) http://archives.neohapsis.com/archives/bugtraq/2012-05/0144.html Debian Security Information: DSA-2493 (Google Search) http://www.debian.org/security/2012/dsa-2493 http://www.securitytracker.com/id?1027102 http://secunia.com/advisories/49303 Common Vulnerability Exposure (CVE) ID: CVE-2012-2948 BugTraq ID: 53723 http://www.securityfocus.com/bid/53723 Bugtraq: 20120529 AST-2012-008: Skinny Channel Driver Remote Crash Vulnerability (Google Search) http://archives.neohapsis.com/archives/bugtraq/2012-05/0145.html http://www.securitytracker.com/id?1027103 XForce ISS Database: asterisk-scd-dos(75937) https://exchange.xforce.ibmcloud.com/vulnerabilities/75937 Common Vulnerability Exposure (CVE) ID: CVE-2011-2666 XForce ISS Database: asterisk-sip-channel-info-disclosure(68472) https://exchange.xforce.ibmcloud.com/vulnerabilities/68472
Copyright	Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com