Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
debianDebianDEBIAN:DLA-2969-1:C9350
HistoryApr 03, 2022 - 5:56 a.m.

[SECURITY] [DLA 2969-1] asterisk security update

2022-04-0305:56:53
lists.debian.org
32

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.065 Low

EPSS

Percentile

93.6%

JSON

Debian LTS Advisory DLA-2969-1 [email protected]
https://www.debian.org/lts/security/ Abhijith PA
April 03, 2022 https://wiki.debian.org/LTS

Package : asterisk
Version : 1:13.14.1~dfsg-2+deb9u6
CVE ID : CVE-2019-13161 CVE-2019-18610 CVE-2019-18790 CVE-2019-18976
CVE-2020-28242

Multiple security issues were discovered in asterisk, an Open Source
Private Branch Exchange (PBX).

CVE-2019-13161

A pointer dereference in chan_sip while handling SDP negotiation 
allows an attacker to crash Asterisk

CVE-2019-18610

A remote authenticated Asterisk Manager Interface (AMI) user 
without system authorization could use a specially crafted 
Originate AMI request to execute arbitrary system commands

CVE-2019-18790

A SIP request can be sent to Asterisk that can change a SIP peer's 
IP address. A REGISTER does not need to occur, and calls can be 
hijacked as a result. The only thing that needs to be known is the 
peer's name; authentication details such as passwords do not need 
to be known. This vulnerability is only exploitable when the nat 
option is set to the default, or auto_force_rport.

CVE-2019-18976

A NULL pointer dereference and crash will occur when asterisk 
receives a re-invite initiating T.38 faxing and has a port of 0 
and no c line in the SDP

CVE-2020-28242

If Asterisk is challenged on an outbound INVITE and the nonce is 
changed in each response, Asterisk will continually send INVITEs 
in a loop. This causes Asterisk to consume more and more memory 
since the transaction will never terminate (even if the call is 
hung up), ultimately leading to a restart or shutdown of Asterisk

For Debian 9 stretch, these problems have been fixed in version
1:13.14.1~dfsg-2+deb9u6.

We recommend that you upgrade your asterisk packages.

For the detailed security status of asterisk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/asterisk

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian9arm64asterisk-mobile< 1:13.14.1~dfsg-2+deb9u6asterisk-mobile_1:13.14.1~dfsg-2+deb9u6_arm64.deb
Debian9allasterisk-doc< 1:13.14.1~dfsg-2+deb9u6asterisk-doc_1:13.14.1~dfsg-2+deb9u6_all.deb
Debian9armhfasterisk-mp3< 1:13.14.1~dfsg-2+deb9u6asterisk-mp3_1:13.14.1~dfsg-2+deb9u6_armhf.deb
Debian9armelasterisk-modules< 1:13.14.1~dfsg-2+deb9u6asterisk-modules_1:13.14.1~dfsg-2+deb9u6_armel.deb
Debian9allasterisk< 1:13.14.1~dfsg-2+deb9u6asterisk_1:13.14.1~dfsg-2+deb9u6_all.deb
Debian9armhfasterisk-voicemail-imapstorage< 1:13.14.1~dfsg-2+deb9u6asterisk-voicemail-imapstorage_1:13.14.1~dfsg-2+deb9u6_armhf.deb
Debian9allasterisk-dev< 1:13.14.1~dfsg-2+deb9u6asterisk-dev_1:13.14.1~dfsg-2+deb9u6_all.deb
Debian9armhfasterisk-modules< 1:13.14.1~dfsg-2+deb9u6asterisk-modules_1:13.14.1~dfsg-2+deb9u6_armhf.deb
Debian9arm64asterisk-modules< 1:13.14.1~dfsg-2+deb9u6asterisk-modules_1:13.14.1~dfsg-2+deb9u6_arm64.deb
Debian9armelasterisk-mysql< 1:13.14.1~dfsg-2+deb9u6asterisk-mysql_1:13.14.1~dfsg-2+deb9u6_armel.deb
Rows per page:
1-10 of 591

Related

osv 7
nessus 7
debian 2
openvas 4
ubuntucve 5
prion 5
cve 6
checkpoint_advisories 1
veracode 5
symantec 3
freebsd 4
debiancve 5
alpinelinux 3
fedora 1
redhatcve 1
osv
osv
asterisk - security update
2022-04-03 00:00:00
asterisk - security update
2019-11-30 00:00:00
CVE-2019-13161
2019-07-12 20:15:11
nessus
nessus
Debian DLA-2969-1 : asterisk - LTS security update
2022-04-03 00:00:00
FreeBSD : asterisk -- AMI user could execute system commands (49b61ab6-0d04-11ea-87ca-001999f8d30b)
2019-11-25 00:00:00
Debian DLA-2017-2 : asterisk regression update
2019-12-03 00:00:00
debian
debian
[SECURITY] [DLA 2017-1] asterisk security update
2019-11-30 20:56:56
[SECURITY] [DLA 2017-2] asterisk regression update
2019-12-01 14:13:24
openvas
openvas
Debian LTS: Security Advisory for asterisk (DLA-2017-1)
2019-12-01 00:00:00
Asterisk Multiple Vulnerabilities (AST-2019-006, AST-2019-007)
2019-11-22 00:00:00
Asterisk DoS Vulnerability (AST-2019-008)
2019-11-22 00:00:00
ubuntucve
ubuntucve
CVE-2020-28242
2020-11-06 00:00:00
CVE-2019-18790
2019-11-22 00:00:00
CVE-2019-18610
2019-11-22 00:00:00
prion
prion
Authentication flaw
2019-11-22 17:15:00
Design/Logic Flaw
2019-11-22 18:15:00
Null pointer dereference
2019-07-12 20:15:00
cve
cve
CVE-2019-13161
2019-07-12 20:15:00
CVE-2019-18610
2019-11-22 18:15:00
CVE-2020-28242
2020-11-06 06:15:00
checkpoint_advisories
checkpoint_advisories
Sangoma Asterisk Command Injection (CVE-2019-18610)
2020-04-16 00:00:00
veracode
veracode
Access Restriction Bypass
2022-04-05 09:52:36
Access Restriction Bypass
2022-04-05 08:10:17
Denial Of Service (DoS)
2022-04-06 10:03:07
symantec
symantec
Asterisk Manager Interface CVE-2019-18610 Arbitrary Command Execution Vulnerability
2019-11-21 00:00:00
Asterisk Open Source CVE-2019-18976 Denial of Service Vulnerability
2019-11-21 00:00:00
Multiple Asterisk Products CVE-2019-18790 Authorization Bypass Vulnerability
2019-11-21 00:00:00
freebsd
freebsd
asterisk -- SIP request can change address of a SIP peer
2019-10-17 00:00:00
asterisk -- AMI user could execute system commands
2019-10-10 00:00:00
asterisk -- Remote Crash Vulnerability in chan_sip channel driver
2019-06-28 00:00:00
debiancve
debiancve
CVE-2019-18610
2019-11-22 18:15:00
CVE-2019-13161
2019-07-12 20:15:00
CVE-2019-18790
2019-11-22 17:15:00
alpinelinux
alpinelinux
CVE-2019-18790
2019-11-22 17:15:00
CVE-2019-18610
2019-11-22 18:15:00
CVE-2019-13161
2019-07-12 20:15:00
fedora
fedora
[SECURITY] Fedora 33 Update: asterisk-17.9.0-1.fc33
2020-11-28 02:04:43
redhatcve
redhatcve
CVE-2019-18351
2022-05-20 22:45:58

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.065 Low

EPSS

Percentile

93.6%

JSON
Related for DEBIAN:DLA-2969-1:C9350
osv7nessus7debian2openvas4ubuntucve5prion5cve6checkpoint_advisories1veracode5symantec3freebsd4debiancve5alpinelinux3fedora1redhatcve1