Mageia Linux Local Security Checks : Mageia: Security Advisory (MGASA-2014-0490)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.1.10.2014.0490

Category: Mageia Linux Local Security Checks

Title: Mageia: Security Advisory (MGASA-2014-0490)

Summary: The remote host is missing an update for the 'asterisk' package(s) announced via the MGASA-2014-0490 advisory.

Description: Summary:
The remote host is missing an update for the 'asterisk' package(s) announced via the MGASA-2014-0490 advisory.

Vulnerability Insight:
Updated asterisk packages fix security vulnerabilities:

In Asterisk Open Source 11.x before 11.12.1, when an out of call message,
delivered by either the SIP or PJSIP channel driver or the XMPP stack, is
handled in Asterisk, a crash can occur if the channel servicing the message
is sent into the ReceiveFax dialplan application while using the
res_fax_spandsp module (CVE-2014-6610).

In Asterisk Open Source 11.x before 11.13.1, the res_jabber and res_xmpp
module both use SSLv3 exclusively, and are hence susceptible to
CVE-2014-3566, a.k.a. POODLE. Also, the core TLS handling, used by the
chan_sip channel driver, Asterisk Manager Interface (AMI), and the Asterisk
HTTP server, defaults to allowing SSLv3/SSLv2 fallback. This allows a MITM
to potentially force a connection to fallback to SSLv3, exposing it to the
POODLE vulnerability.

Asterisk has been updated to version 11.14.1, which fixes the CVE-2014-6610
issue, and in which it no longer uses SSLv3 for the res_jabber/res_xmpp
modules. Additionally, when the encryption method is not specified, the
default handling in the TLS core no longer allows for a fallback to SSLv3
or SSLv2. These changes mitigate the POODLE vulnerability.

Other security issues fixed in 11.14.1 include:

Mixed IP address families in access control lists may permit unwanted
traffic (AST-2014-012)

High call load may result in hung channels in ConfBridge (AST-2014-014).

Permission escalation through ConfBridge actions/dialplan functions
(AST-2014-017).

The DB dialplan function when executed from an external protocol (for
instance AMI), could result in a privilege escalation (AST-2014-018).

Affected Software/OS:
'asterisk' package(s) on Mageia 3, Mageia 4.

Solution:
Please install the updated package(s).

CVSS Score:
4.0

CVSS Vector:
AV:N/AC:L/Au:S/C:N/I:N/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2014-6610

Copyright Copyright (C) 2022 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.1.10.2014.0490
Category:	Mageia Linux Local Security Checks
Title:	Mageia: Security Advisory (MGASA-2014-0490)
Summary:	The remote host is missing an update for the 'asterisk' package(s) announced via the MGASA-2014-0490 advisory.
Description:	Summary: The remote host is missing an update for the 'asterisk' package(s) announced via the MGASA-2014-0490 advisory. Vulnerability Insight: Updated asterisk packages fix security vulnerabilities: In Asterisk Open Source 11.x before 11.12.1, when an out of call message, delivered by either the SIP or PJSIP channel driver or the XMPP stack, is handled in Asterisk, a crash can occur if the channel servicing the message is sent into the ReceiveFax dialplan application while using the res_fax_spandsp module (CVE-2014-6610). In Asterisk Open Source 11.x before 11.13.1, the res_jabber and res_xmpp module both use SSLv3 exclusively, and are hence susceptible to CVE-2014-3566, a.k.a. POODLE. Also, the core TLS handling, used by the chan_sip channel driver, Asterisk Manager Interface (AMI), and the Asterisk HTTP server, defaults to allowing SSLv3/SSLv2 fallback. This allows a MITM to potentially force a connection to fallback to SSLv3, exposing it to the POODLE vulnerability. Asterisk has been updated to version 11.14.1, which fixes the CVE-2014-6610 issue, and in which it no longer uses SSLv3 for the res_jabber/res_xmpp modules. Additionally, when the encryption method is not specified, the default handling in the TLS core no longer allows for a fallback to SSLv3 or SSLv2. These changes mitigate the POODLE vulnerability. Other security issues fixed in 11.14.1 include: Mixed IP address families in access control lists may permit unwanted traffic (AST-2014-012) High call load may result in hung channels in ConfBridge (AST-2014-014). Permission escalation through ConfBridge actions/dialplan functions (AST-2014-017). The DB dialplan function when executed from an external protocol (for instance AMI), could result in a privilege escalation (AST-2014-018). Affected Software/OS: 'asterisk' package(s) on Mageia 3, Mageia 4. Solution: Please install the updated package(s). CVSS Score: 4.0 CVSS Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2014-6610
Copyright	Copyright (C) 2022 Greenbone AG