Asterisk PJSIP Channel Driver Multiple DoS Vulnerabilities (AST-2014-005 / AST-2014-008)

This script is Copyright (C) 2014-2016 Tenable Network Security, Inc.

Synopsis :

A telephony application running on the remote host is affected by
multiple denial of service vulnerabilities.

Description :

According to the version in its SIP banner, the version of Asterisk
running on the remote host is potentially affected by the following
denial of service vulnerabilities in the PJSIP channel driver :

- A flaw exists in the publish / subscribe framework when
an attempt to unsubscribe is made when not already
subscribed. A remote attacker could exploit this flaw
to cause a denial of service. (CVE-2014-4045)

- A flaw exists when handling a SIP transaction timeout
which may cause SIP traffic to not be processed. This
could allow a remote, authenticated attacker subscribe
to a resource in Asterisk and immediately disconnect,
resulting in a denial of service. (CVE-2014-4048)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.

See also :

Solution :

Upgrade to Asterisk 12.3.1 or apply the appropriate patch listed in
the Asterisk advisory.

Risk factor :

Medium / CVSS Base Score : 5.0
CVSS Temporal Score : 4.3
Public Exploit Available : false

Family: Misc.

Nessus Plugin ID: 76089 ()

Bugtraq ID: 68032

CVE ID: CVE-2014-4045

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now