Asterisk Multiple Vulnerabilities (AST-2011-005 / AST-2011-006)
Medium Nessus Plugin ID 53544
SynopsisA telephony application running on the remote host is affected by multiple denial of service vulnerabilities.
DescriptionAccording to the version in its SIP banner, the version of Asterisk running on the remote host may be affected by multiple denial of service vulnerabilities :
- On systems that have the Asterisk Manager interface, Skinny, SIP over TCP, or the built-in HTTP server enabled, it is possible for an attacker to open an unlimited number of connections to Asterisk, which would cause Asterisk to run out of available file descriptors and stop processing any new calls. (AST-2011-005)
- It is possible to bypass a security check and execute shell commands when they should not have that ability.
Note that only users with the 'system' privilege should be able to do this. (AST-2011-006)
SolutionUpgrade to Asterisk 126.96.36.199 / 188.8.131.52 / 184.108.40.206.3 / 220.127.116.11 / Business Edition C.3.6.4 or later.