Vigil@nce - Asterisk: multiple vulnerabilities
December 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use several vulnerabilities of Asterisk.
Impacted products: Asterisk Open Source, MBS
Severity: 2/4
Creation date: 21/11/2014
DESCRIPTION OF THE VULNERABILITY
Several vulnerabilities were announced in Asterisk.
An attacker can use an IPv4/IPv6 address, in order to bypass an
IPv6/IPv4 address range. [severity:2/4; AST-2014-012,
CVE-2014-8412]
The res_pjsip_acl module does not always load ACLs, so an attacker
can bypass the policy. [severity:2/4; AST-2014-013, CVE-2014-8413]
An attacker can use a high load, in order to trigger a denial of
service on ConfBridge. [severity:2/4; AST-2014-014, CVE-2014-8414]
An attacker can send commands after a CANCEL query, in order to
trigger a denial of service of PJSIP. [severity:2/4; AST-2014-015,
CVE-2014-8415]
An attacker can send a malicious INVITE message, in order to
trigger a denial of service of res_pjsip_refer. [severity:2/4;
AST-2014-016, CVE-2014-8416]
An attacker can use ConfBridge, in order to escalate his
privileges. [severity:2/4; AST-2014-017, CVE-2014-8417]
An attacker can use AMI, in order to escalate his privileges.
[severity:2/4; AST-2014-018, CVE-2014-8418]
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Asterisk-multiple-vulnerabilities-15687