Debian Local Security Checks : Debian: Security Advisory (DSA-2493-1)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.71471

Category: Debian Local Security Checks

Title: Debian: Security Advisory (DSA-2493-1)

Summary: The remote host is missing an update for the Debian 'asterisk' package(s) announced via the DSA-2493-1 advisory.

Description: Summary:
The remote host is missing an update for the Debian 'asterisk' package(s) announced via the DSA-2493-1 advisory.

Vulnerability Insight:
Several vulnerabilities were discovered in Asterisk, a PBX and telephony toolkit.

CVE-2012-2947

The IAX2 channel driver allows remote attackers to cause a denial of service (daemon crash) by placing a call on hold (when a certain mohinterpret setting is enabled).

CVE-2012-2948

The Skinny channel driver allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by closing a connection in off-hook mode.

In addition, it was discovered that Asterisk does not set the alwaysauthreject option by default in the SIP channel driver. This allows remote attackers to observe a difference in response behavior and check for the presence of account names. (CVE-2011-2666) System administrators concerned by this user enumerating vulnerability should enable the alwaysauthreject option in the configuration. We do not plan to change the default setting in the stable version (Asterisk 1.6) in order to preserve backwards compatibility.

For the stable distribution (squeeze), this problem has been fixed in version 1:1.6.2.9-2+squeeze6.

For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 1:1.8.13.0~
dfsg-1.

We recommend that you upgrade your asterisk packages.

Affected Software/OS:
'asterisk' package(s) on Debian 6.

Solution:
Please install the updated package(s).

CVSS Score:
4.0

CVSS Vector:
AV:N/AC:L/Au:S/C:N/I:N/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2012-2947
Bugtraq: 20120529 AST-2012-007: Remote crash vulnerability in IAX2 channel driver. (Google Search)
http://archives.neohapsis.com/archives/bugtraq/2012-05/0144.html
Debian Security Information: DSA-2493 (Google Search)
http://www.debian.org/security/2012/dsa-2493
http://www.securitytracker.com/id?1027102
http://secunia.com/advisories/49303
Common Vulnerability Exposure (CVE) ID: CVE-2012-2948
BugTraq ID: 53723
http://www.securityfocus.com/bid/53723
Bugtraq: 20120529 AST-2012-008: Skinny Channel Driver Remote Crash Vulnerability (Google Search)
http://archives.neohapsis.com/archives/bugtraq/2012-05/0145.html
http://www.securitytracker.com/id?1027103
XForce ISS Database: asterisk-scd-dos(75937)
https://exchange.xforce.ibmcloud.com/vulnerabilities/75937

Copyright Copyright (C) 2012 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.71471
Category:	Debian Local Security Checks
Title:	Debian: Security Advisory (DSA-2493-1)
Summary:	The remote host is missing an update for the Debian 'asterisk' package(s) announced via the DSA-2493-1 advisory.
Description:	Summary: The remote host is missing an update for the Debian 'asterisk' package(s) announced via the DSA-2493-1 advisory. Vulnerability Insight: Several vulnerabilities were discovered in Asterisk, a PBX and telephony toolkit. CVE-2012-2947 The IAX2 channel driver allows remote attackers to cause a denial of service (daemon crash) by placing a call on hold (when a certain mohinterpret setting is enabled). CVE-2012-2948 The Skinny channel driver allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by closing a connection in off-hook mode. In addition, it was discovered that Asterisk does not set the alwaysauthreject option by default in the SIP channel driver. This allows remote attackers to observe a difference in response behavior and check for the presence of account names. (CVE-2011-2666) System administrators concerned by this user enumerating vulnerability should enable the alwaysauthreject option in the configuration. We do not plan to change the default setting in the stable version (Asterisk 1.6) in order to preserve backwards compatibility. For the stable distribution (squeeze), this problem has been fixed in version 1:1.6.2.9-2+squeeze6. For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 1:1.8.13.0~ dfsg-1. We recommend that you upgrade your asterisk packages. Affected Software/OS: 'asterisk' package(s) on Debian 6. Solution: Please install the updated package(s). CVSS Score: 4.0 CVSS Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2012-2947 Bugtraq: 20120529 AST-2012-007: Remote crash vulnerability in IAX2 channel driver. (Google Search) http://archives.neohapsis.com/archives/bugtraq/2012-05/0144.html Debian Security Information: DSA-2493 (Google Search) http://www.debian.org/security/2012/dsa-2493 http://www.securitytracker.com/id?1027102 http://secunia.com/advisories/49303 Common Vulnerability Exposure (CVE) ID: CVE-2012-2948 BugTraq ID: 53723 http://www.securityfocus.com/bid/53723 Bugtraq: 20120529 AST-2012-008: Skinny Channel Driver Remote Crash Vulnerability (Google Search) http://archives.neohapsis.com/archives/bugtraq/2012-05/0145.html http://www.securitytracker.com/id?1027103 XForce ISS Database: asterisk-scd-dos(75937) https://exchange.xforce.ibmcloud.com/vulnerabilities/75937
Copyright	Copyright (C) 2012 Greenbone AG