FreeBSD : asterisk -- multiple vulnerabilities (f109b02f-f5a4-11e3-82e9-00a098b18457)

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

The Asterisk project reports :

Asterisk Manager User Unauthorized Shell Access. Manager users can
execute arbitrary shell commands with the MixMonitor manager action.
Asterisk does not require system class authorization for a manager
user to use the MixMonitor action, so any manager user who is
permitted to use manager commands can potentially execute shell
commands as the user executing the Asterisk process.

Exhaustion of Allowed Concurrent HTTP Connections. Establishing a TCP
or TLS connection to the configured HTTP or HTTPS port respectively in
http.conf and then not sending or completing a HTTP request will tie
up a HTTP session. By doing this repeatedly until the maximum number
of open HTTP sessions is reached, legitimate requests are blocked.

See also :

http://downloads.asterisk.org/pub/security/AST-2014-006.pdf
http://downloads.asterisk.org/pub/security/AST-2014-007.pdf
https://www.asterisk.org/security
http://www.nessus.org/u?9912b539

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 6.5
(CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 76103 ()

Bugtraq ID:

CVE ID: CVE-2014-4046
CVE-2014-4047

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now