Asterisk null pointer dereference remote pre-authentication DoS vulnerability

2007-03-05T00:00:00
ID VU:228032
Type cert
Reporter CERT
Modified 2007-03-19T00:00:00

Description

Overview

Asterisk contains a null pointer dereference vulnerability that may allow a remote, unauthenticated attacker to cause a denial-of-service condition on a vulnerable system.

Description

Asterisk is a popular PBX application with VoIP support. Asterisk contains a null pointer dereference vulnerability that can allow a remote, unauthenticated attacker to crash the Asterisk server software with a specially crafted Session Initiation Protocol (SIP) packet (typically udp/5060).


Impact

A remote, unauthenticated attacker may be able to cause a denial of service on a vulnerable server.


Solution

Apply an update

This issue is addressed in Asterisk versions 1.4.1 and 1.2.16.


Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Asterisk| | -| 05 Mar 2007
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

  • <http://asterisk.org/node/48320>
  • <http://asterisk.org/node/48319>
  • <http://secunia.com/advisories/24380/>
  • <http://labs.musecurity.com/advisories/MU-200703-01.txt>
  • <http://secunia.com/advisories/24427/>
  • <http://securitytracker.com/id?1017723>
  • <http://www.securityfocus.com/bid/22838>

Credit

This vulnerability was reported by the Mu Security research team.

This document was written by Will Dormann.

Other Information

  • CVE IDs: CVE-2007-1306
  • Date Public: 04 Mar 2007
  • Date First Published: 05 Mar 2007
  • Date Last Updated: 19 Mar 2007
  • Severity Metric: 7.85
  • Document Revision: 12