CVE-2013-5642
https://notcve.org/view.php?id=CVE-2013-5642
The SIP channel driver (channels/chan_sip.c) in Asterisk Open Source 1.8.x before 1.8.23.1, 10.x before 10.12.3, and 11.x before 11.5.1; Certified Asterisk 1.8.15 before 1.8.15-cert3 and 11.2 before 11.2-cert2; and Asterisk Digiumphones 10.x-digiumphones before 10.12.3-digiumphones allows remote attackers to cause a denial of service (NULL pointer dereference, segmentation fault, and daemon crash) via an invalid SDP that defines a media description before the connection description in a SIP request. El controlador de canal SIP (channels/chan_sip.c) en Asterisk Open Source 1.8.x (anteriores a 1.8.23.1), 10.x (anteriores a 10.12.3), y 11.x (anteriores a 11.5.1); Certified Asterisk 1.8.15 (anteriores a 1.8.15-cert3) y 11.2 (anteriores a 11.2-cert2); y Asterisk Digiumphones 10.x-digiumphones (anteriores a 10.12.3-digiumphones) permiten a un atcante remoto causar una denegación de servicio (referencia a puntero nulo, corrupción de memoria, y caída del demonio) a través de un SDP inválido que define una descripción de medios antes de la descripción de conexión en una petición SIP. • http://archives.neohapsis.com/archives/bugtraq/2013-08/0174.html http://downloads.asterisk.org/pub/security/AST-2013-005.html http://osvdb.org/96690 http://secunia.com/advisories/54534 http://secunia.com/advisories/54617 http://www.debian.org/security/2013/dsa-2749 http://www.mandriva.com/security/advisories?name=MDVSA-2013:223 http://www.securityfocus.com/bid/62022 http://www.securitytracker.com/id/1028957 https://issues.asterisk.org/jira/browse/ASTERISK-22007 • CWE-20: Improper Input Validation •
CVE-2013-5641
https://notcve.org/view.php?id=CVE-2013-5641
The SIP channel driver (channels/chan_sip.c) in Asterisk Open Source 1.8.17.x through 1.8.22.x, 1.8.23.x before 1.8.23.1, and 11.x before 11.5.1 and Certified Asterisk 1.8.15 before 1.8.15-cert3 and 11.2 before 11.2-cert2 allows remote attackers to cause a denial of service (NULL pointer dereference, segmentation fault, and daemon crash) via an ACK with SDP to a previously terminated channel. NOTE: some of these details are obtained from third party information. El controlador de canal SIP (channel/chan_sip.c) en Asterisk Open Source 1.8.17.x hasta 1.8.22.x, 1.8.23.x (anteriores a 1.8.23.1), y 11.x (anteriores a 11.5.1); y Certified Asterisk 1.8.15 (anteriores a 1.8.15-cert3) y 11.2 (anteriores a 11.2-cert2) permiten a un atacante remoto causar una denegación de servicio (referencia a puntero nulo, corrupción de memoria y caída del demonio) a través de un ACK con SDP a un canal previamente cerrado. NOTA: algunos de estos detalles fueron obtenidos de información de terceros. • http://archives.neohapsis.com/archives/bugtraq/2013-08/0175.html http://downloads.asterisk.org/pub/security/AST-2013-004.html http://osvdb.org/96691 http://seclists.org/bugtraq/2013/Aug/185 http://secunia.com/advisories/54534 http://secunia.com/advisories/54617 http://www.debian.org/security/2013/dsa-2749 http://www.mandriva.com/security/advisories?name=MDVSA-2013:223 http://www.securityfocus.com/bid/62021 http://www.securitytracker.com/id/1028956 https://issues.asteri • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2012-5977
https://notcve.org/view.php?id=CVE-2012-5977
Asterisk Open Source 1.8.x before 1.8.19.1, 10.x before 10.11.1, and 11.x before 11.1.2; Certified Asterisk 1.8.11 before 1.8.11-cert10; and Asterisk Digiumphones 10.x-digiumphones before 10.11.1-digiumphones, when anonymous calls are enabled, allow remote attackers to cause a denial of service (resource consumption) by making anonymous calls from multiple sources and consequently adding many entries to the device state cache. Asterisk Open Source v1.8.x anteriores a v1.8.19.1, v10.x anteriores a v10.11.1, y v11.x anteriores a v11.1.2; Certified Asterisk v1.8.11 anteriores a v1.8.11-cert10; y Asterisk Digiumphones v10.x-digiumphones anteriores a v10.11.1-digiumphones, cuando están permitidas las llamadas anónimas, permiten a atacantes remotos a provocar una denegación de servicio(consumo de recursos) haciendo llamadas anónimas desde múltiples fuentes y en consecuencia, añadir varias entradas a la caché de estado del dispositivo. • http://downloads.asterisk.org/pub/security/AST-2012-015 http://www.debian.org/security/2013/dsa-2605 https://issues.asterisk.org/jira/browse/ASTERISK-20175 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2012-5976
https://notcve.org/view.php?id=CVE-2012-5976
Multiple stack consumption vulnerabilities in Asterisk Open Source 1.8.x before 1.8.19.1, 10.x before 10.11.1, and 11.x before 11.1.2; Certified Asterisk 1.8.11 before 1.8.11-cert10; and Asterisk Digiumphones 10.x-digiumphones before 10.11.1-digiumphones allow remote attackers to cause a denial of service (daemon crash) via TCP data using the (1) SIP, (2) HTTP, or (3) XMPP protocol. Multiples vulnerabilidades de consumo en Asterisk Open Source v1.8.x anteriores a v1.8.19.1, v10.x anteriores a v10.11.1, y v11.x anteriores a v11.1.2; Certified Asterisk v1.8.11 anteriores a v1.8.11-cert10; y Asterisk Digiumphones 10.x-digiumphones anteriores a 10.11.1-digiumphones permite a atacantes remotos provocar una denegación de servicio (caíde del demonio) a través de datos TCP usando los protocolos (1) SIP, (2) HTTP, o (3) XMPP. • http://downloads.asterisk.org/pub/security/AST-2012-014 http://www.debian.org/security/2013/dsa-2605 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2012-4737
https://notcve.org/view.php?id=CVE-2012-4737
channels/chan_iax2.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert7, Asterisk Digiumphones 10.x.x-digiumphones before 10.7.1-digiumphones, and Asterisk Business Edition C.3.x before C.3.7.6 does not enforce ACL rules during certain uses of peer credentials, which allows remote authenticated users to bypass intended outbound-call restrictions by leveraging the availability of these credentials. channels/chan_iax2.c en Asterisk Open Source v1.8.x antes de v1.8.15.1 y v10.x antes de v10.7.1, Certified Asterisk v1.8.11-1.8.11 antes de cert7, Digiumphones Asterisk v10.xx-digiumphones antes de v10.7.1-digiumphones y Asterisk Business Edition C.3.x antes de C.3.7.6 no hace cumplir las reglas de ACL durante ciertos usos del par de credenciales, lo que permite a usuarios remotos autenticados eludir las restricciones de llamadas de salida aprovechándose de la disponibilidad de estas credenciales. • http://downloads.asterisk.org/pub/security/AST-2012-013.html http://secunia.com/advisories/50687 http://secunia.com/advisories/50756 http://www.debian.org/security/2012/dsa-2550 http://www.securityfocus.com/bid/55335 http://www.securitytracker.com/id?1027461 • CWE-264: Permissions, Privileges, and Access Controls •