FreeBSD : asterisk -- Mitigation for libcURL HTTP request injection vulnerability (7656fc62-a7a7-11e4-96ba-001999f8d30b)

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

The Asterisk project reports :

CVE-2014-8150 reported an HTTP request injection vulnerability in
libcURL. Asterisk uses libcURL in its func_curl.so module (the CURL()
dialplan function), as well as its res_config_curl.so (cURL realtime
backend) modules.

Since Asterisk may be configured to allow for user-supplied URLs to be
passed to libcURL, it is possible that an attacker could use Asterisk
as an attack vector to inject unauthorized HTTP requests if the
version of libcURL installed on the Asterisk server is affected by
CVE-2014-8150.

See also :

http://downloads.asterisk.org/pub/security/AST-2015-002.html
http://www.nessus.org/u?3a1aaf9f

Solution :

Update the affected packages.

Risk factor :

High

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 81097 ()

Bugtraq ID:

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now