The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Asterisk: two vulnerabilities

Synthesis of the vulnerability 

An attacker can use two vulnerabilities of Asterisk, in order to create a denial of service or to execute code.
Impacted software: Asterisk Open Source, Debian, Fedora.
Severity of this computer vulnerability: 3/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 22/04/2011.
Références of this announce: AST-2011-005, AST-2011-006, BID-47537, CERTA-2003-AVI-001, CERTA-2011-AVI-196, CERTA-2011-AVI-249, CVE-2011-1507, CVE-2011-1599, DSA-2225-1, FEDORA-2011-6208, FEDORA-2011-6225, VIGILANCE-VUL-10594.

Description of the vulnerability 

Two vulnerabilities were announced in Asterisk.

A unauthenticated attacker can create several TCP sessions (TCP SIP, Skinny, Asterisk Manager Interface, HTTP), in order to create a denial of service. [severity:2/4; AST-2011-005, CERTA-2011-AVI-249, CVE-2011-1507]

An attacker can send an Async or Application header, in order to execute a shell command via Asterisk Manager Interface. [severity:3/4; AST-2011-006, BID-47537, CVE-2011-1599]

An attacker can therefore use two vulnerabilities of Asterisk, in order to create a denial of service or to execute code.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer vulnerability announce impacts software or systems such as Asterisk Open Source, Debian, Fedora.

Our Vigil@nce team determined that the severity of this cybersecurity bulletin is important.

The trust level is of type confirmed by the editor, with an origin of internet client.

This bulletin is about 2 vulnerabilities.

An attacker with a expert ability can exploit this threat alert.

Solutions for this threat 

Asterisk: version 1.8.4.
The version 1.8.4 is corrected:
  http://downloads.asterisk.org/pub/telephony/asterisk/

Asterisk: version 1.8.3.3.
The version 1.8.3.3 is corrected:
  http://downloads.asterisk.org/pub/telephony/asterisk/releases

Asterisk: version 1.6.2.18.
The version 1.6.2.18 is corrected:
  http://downloads.asterisk.org/pub/telephony/asterisk/

Asterisk: version 1.6.2.17.3.
The version 1.6.2.17.3 is corrected:
  http://downloads.asterisk.org/pub/telephony/asterisk/releases

Asterisk: version 1.6.1.25.
The version 1.6.1.25 is corrected:
  http://downloads.asterisk.org/pub/telephony/asterisk/releases

Asterisk: version 1.4.41.
The version 1.4.41 is corrected:
  http://downloads.asterisk.org/pub/telephony/asterisk/

Asterisk: version 1.4.40.1.
The version 1.4.40.1 is corrected:
  http://downloads.asterisk.org/pub/telephony/asterisk/releases
The version 1.4.40.2 corrects a regression error, and should be installed.

Debian: new asterisk packages.
New packages are available:
  1:1.4.21.2~dfsg-3+lenny2.1
  1:1.6.2.9-2+squeeze2

Fedora 13: new asterisk packages.
New packages are available:
  asterisk-1.6.2.18-1.fc13

Fedora 14: new asterisk packages.
New packages are available:
  asterisk-1.6.2.18-1.fc14
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computer vulnerability database. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.