 |
Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | ||
| Test ID: | 1.3.6.1.4.1.25623.1.1.10.2014.0171 |
| Category: | Mageia Linux Local Security Checks |
| Title: | Mageia: Security Advisory (MGASA-2014-0171) |
| Summary: | The remote host is missing an update for the 'asterisk' package(s) announced via the MGASA-2014-0171 advisory. |
| Description: | Summary: The remote host is missing an update for the 'asterisk' package(s) announced via the MGASA-2014-0171 advisory. Vulnerability Insight: Updated asterisk packages fix security vulnerabilities: In Asterisk before 11.6.1, a 16 bit SMS message that contains an odd message length value will cause the message decoding loop to run forever. The message buffer is not on the stack but will be overflowed resulting in corrupted memory and an immediate crash (CVE-2013-7100). In Asterisk before 11.6.1, external control protocols, such as the Asterisk Manager Interface, often have the ability to get and set channel variables, this allows the execution of dialplan functions. Reading the SHELL() function can execute arbitrary commands on the system Asterisk is running on. Writing to the FILE() function can change any file that Asterisk has write access to. When these functions are executed from an external protocol, that execution could result in a privilege escalation (AST-2013-007). In Asterisk before 11.8.1, sending a HTTP request that is handled by Asterisk with a large number of Cookie headers could overflow the stack. You could even exhaust memory if you sent an unlimited number of headers in the request (CVE-2014-2286). In Asterisk before 11.8.1, an attacker can use all available file descriptors using SIP INVITE requests. Each INVITE meeting certain conditions will leak a channel and several file descriptors. The file descriptors cannot be released without restarting Asterisk which may allow intrusion detection systems to be bypassed by sending the requests slowly (CVE-2014-2287). Affected Software/OS: 'asterisk' package(s) on Mageia 3. Solution: Please install the updated package(s). CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P |
| Cross-Ref: |
Common Vulnerability Exposure (CVE) ID: CVE-2013-7100 BugTraq ID: 64364 http://www.securityfocus.com/bid/64364 Bugtraq: 20131216 AST-2013-006: Buffer Overflow when receiving odd length 16 bit SMS message (Google Search) http://archives.neohapsis.com/archives/bugtraq/2013-12/0089.html Debian Security Information: DSA-2835 (Google Search) http://www.debian.org/security/2014/dsa-2835 http://www.mandriva.com/security/advisories?name=MDVSA-2013:300 http://osvdb.org/101100 http://www.securitytracker.com/id/1029499 http://secunia.com/advisories/56294 XForce ISS Database: asterisk-sms-message-dos(89825) https://exchange.xforce.ibmcloud.com/vulnerabilities/89825 Common Vulnerability Exposure (CVE) ID: CVE-2014-2286 BugTraq ID: 66093 http://www.securityfocus.com/bid/66093 http://lists.fedoraproject.org/pipermail/package-announce/2014-March/130426.html http://lists.fedoraproject.org/pipermail/package-announce/2014-March/130400.html http://www.mandriva.com/security/advisories?name=MDVSA-2014:078 http://downloads.asterisk.org/pub/security/AST-2014-001-1.8.diff Common Vulnerability Exposure (CVE) ID: CVE-2014-2287 BugTraq ID: 66094 http://www.securityfocus.com/bid/66094 http://downloads.asterisk.org/pub/security/AST-2014-002-1.8.diff |
| Copyright | Copyright (C) 2022 Greenbone AG |
| This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below. |