GLSA-200905-01 : Asterisk: Multiple vulnerabilities
High Nessus Plugin ID 38677
SynopsisThe remote Gentoo host is missing one or more security-related patches.
DescriptionThe remote host is affected by the vulnerability described in GLSA-200905-01 (Asterisk: Multiple vulnerabilities)
Multiple vulnerabilities have been discovered in the IAX2 channel driver when performing the 3-way handshake (CVE-2008-1897), when handling a large number of POKE requests (CVE-2008-3263), when handling authentication attempts (CVE-2008-5558) and when handling firmware download (FWDOWNL) requests (CVE-2008-3264). Asterisk does also not correctly handle SIP INVITE messages that lack a 'From' header (CVE-2008-2119), and responds differently to a failed login attempt depending on whether the user account exists (CVE-2008-3903, CVE-2009-0041).
Remote unauthenticated attackers could send specially crafted data to Asterisk, possibly resulting in a Denial of Service via a daemon crash, call-number exhaustion, CPU or traffic consumption. Remote unauthenticated attackers could furthermore enumerate valid usernames to facilitate brute-force login attempts.
There is no known workaround at this time.
SolutionAll Asterisk users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=net-misc/asterisk-1.2.32'