chan_skinny.c in the Skinny (aka SCCP) channel driver in Certified Asterisk 1.8.11-cert before 1.8.11-cert2 and Asterisk Open Source 1.8.x before 1.8.12.1 and 10.x before 10.4.1 allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by closing a connection in off-hook mode.

Several vulnerabilities were discovered in Asterisk, a PBX and telephony toolkit.

  - CVE-2012-2947     The IAX2 channel driver allows remote attackers to cause     a denial of service (daemon crash) by placing a call on     hold (when a certain mohinterpret setting is enabled).

  - CVE-2012-2948     The Skinny channel driver allows remote authenticated     users to cause a denial of service (NULL pointer     dereference and daemon crash) by closing a connection in     off-hook mode.

In addition, it was discovered that Asterisk does not set the alwaysauthreject option by default in the SIP channel driver. This allows remote attackers to observe a difference in response behavior and check for the presence of account names. (CVE-2011-2666 ) System administrators concerned by this user enumerating vulnerability should enable the alwaysauthreject option in the configuration. We do not plan to change the default setting in the stable version (Asterisk 1.6) in order to preserve backwards compatibility.

The remote host is affected by the vulnerability described in GLSA-201206-05 (Asterisk: Multiple vulnerabilities)

    Multiple vulnerabilities have been found in Asterisk:
      An error in manager.c allows shell access through the MixMonitor         application, GetVar, or Status (CVE-2012-2414).
      An error in chan_skinny.c could cause a heap-based buffer overflow         (CVE-2012-2415).
      An error in chan_sip.c prevents Asterisk from checking if a channel         exists before connected line updates (CVE-2012-2416).
      An error in chan_iax2.c may cause an invalid pointer to be called         (CVE-2012-2947).
      chan_skinny.c contains a NULL pointer dereference (CVE-2012-2948).
  Impact :

    A remote attacker could execute arbitrary code with the privileges of       the process or cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

According to the version in its SIP banner, the version of Asterisk running on the remote host is potentially affected by a vulnerability that could allow a remote attacker to crash the server.  This issue could be exploited when the attacker has a valid SCCP (Skinny) ID and closes a connection when in certain call states.  A NULL pointer is left behind and can cause the server to crash when the pointer is later dereferenced.

Asterisk project reports :

Remote crash vulnerability in IAX2 channel driver.

Skinny Channel Driver Remote Crash Vulnerability

ID	Name	Product	Family	Severity
59771	Debian DSA-2493-1 : asterisk - denial of service	Nessus	Debian Local Security Checks	medium
59633	GLSA-201206-05 : Asterisk: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
59504	Asterisk Remote Crash Vulnerability in Skinny Channel Driver (AST-2012-008)	Nessus	Misc.	medium
59302	FreeBSD : asterisk -- multiple vulnerabilities (359f615d-a9e1-11e1-8a66-14dae9ebcf89)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2012-2948

medium

Tenable Plugins

medium

medium

medium

medium