Asterisk: Multiple vulnerabilities
Gentoo Linux Security Advisory
||GLSA 200905-01 / asterisk
||May 02, 2009
||May 02, 2009: 01
All supported architectures
#218966, #224835, #232696, #232698, #237476, #250748, #254304
Multiple vulnerabilities have been found in Asterisk allowing for Denial of
Service and username disclosure.
Asterisk is an open source telephony engine and toolkit.
Multiple vulnerabilities have been discovered in the IAX2 channel
driver when performing the 3-way handshake (CVE-2008-1897), when
handling a large number of POKE requests (CVE-2008-3263), when handling
authentication attempts (CVE-2008-5558) and when handling firmware
download (FWDOWNL) requests (CVE-2008-3264). Asterisk does also not
correctly handle SIP INVITE messages that lack a "From" header
(CVE-2008-2119), and responds differently to a failed login attempt
depending on whether the user account exists (CVE-2008-3903,
Remote unauthenticated attackers could send specially crafted data to
Asterisk, possibly resulting in a Denial of Service via a daemon crash,
call-number exhaustion, CPU or traffic consumption. Remote
unauthenticated attackers could furthermore enumerate valid usernames
to facilitate brute force login attempts.
There is no known workaround at this time.
All Asterisk users should upgrade to the latest version:
Code Listing 3.1: Resolution
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.2.32"