ID CVE-2007-2488
Summary The IAX2 channel driver (chan_iax2) in Asterisk before 20070504 does not properly null terminate data, which allows remote attackers to trigger loss of transmitted data, and possibly obtain sensitive information (memory contents) or cause a denial of service (application crash), by sending a frame that lacks a 0 byte.
References
Vulnerable Configurations
  • cpe:2.3:a:asterisk:asterisk:1.4.4_2007-04-27
    cpe:2.3:a:asterisk:asterisk:1.4.4_2007-04-27
CVSS
Base: 10.0 (as of 08-05-2007 - 15:51)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_ASTERISK-3543.NASL
    description This update fixes multiple bugs that allowed attackers to remotely crash asterisk or cause an information leak (CVE-2007-1561, CVE-2007-1594, CVE-2007-1595, CVE-2007-2297, CVE-2007-2488).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27157
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27157
    title openSUSE 10 Security Update : asterisk (asterisk-3543)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1358.NASL
    description Several remote vulnerabilities have been discovered in Asterisk, a free software PBX and telephony toolkit. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-1306 'Mu Security' discovered that a NULL pointer dereference in the SIP implementation could lead to denial of service. - CVE-2007-1561 Inria Lorraine discovered that a programming error in the SIP implementation could lead to denial of service. - CVE-2007-2294 It was discovered that a NULL pointer dereference in the manager interface could lead to denial of service. - CVE-2007-2297 It was discovered that a programming error in the SIP implementation could lead to denial of service. - CVE-2007-2488 Tim Panton and Birgit Arkestein discovered that a programming error in the IAX2 implementation could lead to information disclosure. - CVE-2007-3762 Russell Bryant discovered that a buffer overflow in the IAX implementation could lead to the execution of arbitrary code. - CVE-2007-3763 Chris Clark and Zane Lackey discovered that several NULL pointer dereferences in the IAX2 implementation could lead to denial of service. - CVE-2007-3764 Will Drewry discovered that a programming error in the Skinny implementation could lead to denial of service.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25938
    published 2007-08-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25938
    title Debian DSA-1358-1 : asterisk - several vulnerabilities
refmap via4
bid 23824
confirm http://ftp.digium.com/pub/asa/ASA-2007-013.pdf
debian DSA-1358
osvdb 35769
secunia
  • 25134
  • 25582
suse SUSE-SA:2007:034
vupen ADV-2007-1661
xf asterisk-iax2-information-disclosure(34085)
Last major update 05-11-2012 - 22:38
Published 07-05-2007 - 15:19
Last modified 28-07-2017 - 21:31
Back to Top