CVE-2009-0041
https://notcve.org/view.php?id=CVE-2009-0041
IAX2 in Asterisk Open Source 1.2.x before 1.2.31, 1.4.x before 1.4.23-rc4, and 1.6.x before 1.6.0.3-rc2; Business Edition A.x.x, B.x.x before B.2.5.7, C.1.x.x before C.1.10.4, and C.2.x.x before C.2.1.2.1; and s800i 1.2.x before 1.3.0 responds differently to a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. IAX2 en Asterisk Open Source v1.2.x anterior a v1.2.31, v1.4.x anterior a v1.4.23-rc4, y v1.6.x anterior a v1.6.0.3-rc2; Business Edition A.x.x, B.x.x anterior a B.2.5.7, C.1.x.x anterior a C.1.10.4, y C.2.x.x anterior a C.2.1.2.1; y s800i 1.2.x anterior a v1.3.0 responden de manera distinta ante un intento de acceso fallido dependiendo de si la cuenta de usuario existe, lo que permite a atacantes remotos listar nombres de usuario válidos. • http://downloads.digium.com/pub/security/AST-2009-001.html http://secunia.com/advisories/33453 http://secunia.com/advisories/34982 http://secunia.com/advisories/37677 http://security.gentoo.org/glsa/glsa-200905-01.xml http://securityreason.com/securityalert/4910 http://www.debian.org/security/2009/dsa-1952 http://www.securityfocus.com/archive/1/499884/100/0/threaded http://www.securityfocus.com/bid/33174 http://www.securitytracker.com/id?1021549 http://www.vupen.com/e • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2008-3264
https://notcve.org/view.php?id=CVE-2008-3264
The FWDOWNL firmware-download implementation in Asterisk Open Source 1.0.x, 1.2.x before 1.2.30, and 1.4.x before 1.4.21.2; Business Edition A.x.x, B.x.x before B.2.5.4, and C.x.x before C.1.10.3; AsteriskNOW; Appliance Developer Kit 0.x.x; and s800i 1.0.x before 1.2.0.1 allows remote attackers to cause a denial of service (traffic amplification) via an IAX2 FWDOWNL request. La implementación FWDOWNL firmware-download en Asterisk Open Source 1.0.x, 1.2.x antes de 1.2.30 y 1.4.x antes de 1.4.21.2; Business Edition A.x.x, B.x.x antes de B.2.5.4 y C.x.x antes de C.1.10.3; AsteriskNOW; Appliance Developer Kit 0.x.x; y s800i 1.0.x antes de 1.2.0.1 permite a atacantes remotos provocar una denegación de servicio (amplificación del tráfico) mediante una petición IAX2 FWDOWNL. • http://downloads.digium.com/pub/security/AST-2008-011.html http://secunia.com/advisories/31178 http://secunia.com/advisories/31194 http://secunia.com/advisories/34982 http://security.gentoo.org/glsa/glsa-200905-01.xml http://www.securityfocus.com/archive/1/494676/100/0/threaded http://www.securityfocus.com/bid/30350 http://www.securitytracker.com/id?1020536 http://www.vupen.com/english/advisories/2008/2168/references https://exchange.xforce.ibmcloud.com/vulnerabilities/43955 https • CWE-287: Improper Authentication •
CVE-2008-1923
https://notcve.org/view.php?id=CVE-2008-1923
The IAX2 channel driver (chan_iax2) in Asterisk 1.2 before revision 72630 and 1.4 before revision 65679, when configured to allow unauthenticated calls, sends "early audio" to an unverified source IP address of a NEW message, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed NEW message. El IAX2 channel driver (chan_iax2) en Asterisk 1.2 anterior a la revisión 72630 y 1.4 anterior a la revisión 65679, cuando está configurado para permitir llamadas sin autenticación, envía "early audio" a una IP sin verificar de un mensaje NEW, lo que permite a atacantes remotos provocar una denegación de servicio (amplificación del tráfico) a través de un mensaje NEW falseado. • http://bugs.digium.com/view.php?id=10078 http://downloads.digium.com/pub/security/AST-2008-006.html http://www.altsci.com/concepts/page.php?s=asteri&p=1 https://exchange.xforce.ibmcloud.com/vulnerabilities/42049 • CWE-16: Configuration •
CVE-2008-1897
https://notcve.org/view.php?id=CVE-2008-1897
The IAX2 channel driver (chan_iax2) in Asterisk Open Source 1.0.x, 1.2.x before 1.2.28, and 1.4.x before 1.4.19.1; Business Edition A.x.x, B.x.x before B.2.5.2, and C.x.x before C.1.8.1; AsteriskNOW before 1.0.3; Appliance Developer Kit 0.x.x; and s800i before 1.1.0.3, when configured to allow unauthenticated calls, does not verify that an ACK response contains a call number matching the server's reply to a NEW message, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed ACK response that does not complete a 3-way handshake. NOTE: this issue exists because of an incomplete fix for CVE-2008-1923. El driver del canal IAX2 (chan_iax2) en Asterisk Open Source 1.0.x, 1.2.x anteriores a 1.2.28 y 1.4.x anteriores a 1.4.19.1; Business Edition A.x.x, B.x.x anteriores a B.2.5.2 y C.x.x anteriores a C.1.8.1; AsteriskNOW anteriores a 1.0.3; Apliance Developer Kit 0.x.x y s800i anterior a la 1.1.0.3, cuando está configurado para permitir llamadas no autenticadas, no verifica que una respuesta ACK contenga un número que coincida con el de respuesta del servidor a un NUEVO mensaje, que puede permitir a los atacantes provocar una denegación de servicio (amplificación del tráfico) a través de una respuesta ACK falseada, que no complete la negociación de 3 pasos. NOTA: Este problema existe debido a una correción incompleto para CVE-2008-1923 • http://bugs.digium.com/view.php?id=10078 http://downloads.digium.com/pub/security/AST-2008-006.html http://secunia.com/advisories/29927 http://secunia.com/advisories/30010 http://secunia.com/advisories/30042 http://secunia.com/advisories/34982 http://security.gentoo.org/glsa/glsa-200905-01.xml http://www.altsci.com/concepts/page.php?s=asteri&p=2 http://www.debian.org/security/2008/dsa-1563 http://www.securityfocus.com/archive/1/491220/100/0/threaded http:/ • CWE-287: Improper Authentication •
CVE-2008-1332
https://notcve.org/view.php?id=CVE-2008-1332
Unspecified vulnerability in Asterisk Open Source 1.2.x before 1.2.27, 1.4.x before 1.4.18.1 and 1.4.19-rc3; Business Edition A.x.x, B.x.x before B.2.5.1, and C.x.x before C.1.6.2; AsteriskNOW 1.0.x before 1.0.2; Appliance Developer Kit before 1.4 revision 109393; and s800i 1.0.x before 1.1.0.2; allows remote attackers to access the SIP channel driver via a crafted From header. Vulnerabilidad no especificada en Asterisk Open Source versiones 1.2.x anteriores a 1.2.27, 1.4.x anteriores a 1.4.18.1 y 1.4.19-rc3; en Business Edition versiones A.x.x, B.x.x anteriores a B.2.5.1, y C.x.x anteriores a C.1.6.2; en AsteriskNOW versiones 1.0.x anteriores a 1.0.2; Appliance Developer Kit anteriores a 1.4 revisión 109393; y s800i versiones 1.0.x anteriores a 1.1.0.2 permite a atacantes remotos acceder al controlador del canal SIP mediante la utilización de una cabecera From especialmente construida. • http://downloads.digium.com/pub/security/AST-2008-003.html http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00011.html http://secunia.com/advisories/29426 http://secunia.com/advisories/29456 http://secunia.com/advisories/29470 http://secunia.com/advisories/29782 http://secunia.com/advisories/29957 http://security.gentoo.org/glsa/glsa-200804-13.xml http://securitytracker.com/id?1019629 http://www.asterisk.org/node/48466 http://www.debian.org/security/2008/dsa& • CWE-264: Permissions, Privileges, and Access Controls •