Bird_banner_small4
Digium Asterisk HTTP Manager Interface Resource Exhaustion
TSL ID TSL20130327-01
CVE ID(s) CVE-2013-2686
Severity High
Description

A memory exhaustion vulnerability has been found in Digium Asterisk. The vulnerability is due to the use of a user-controlled size value in a memory allocation without validation.

A remote, unauthenticated attacker could exploit this vulnerability by sending a malicious HTTP request to the HTTP management interface of a vulnerable version of Asterisk. Successful exploitation would result in the service's inability to allocate memory and possibly termination of the vulnerable program denying service to legitimate users.

Digium has published an advisory and patches for this vulnerability:

http://downloads.asterisk.org/pub/security/AST-2013-002.html

Affected Products
  • Digium Asterisk Open Source prior to 10.12.2
  • Digium Asterisk Open Source prior to 11.2.2
  • Digium Asterisk Open Source prior to 1.8.20.2
  • Digium Certified Asterisk prior to 1.8.15-cert2
CVSS Score Base 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C):
  • Access vector is NETWORK
  • Access complexity is LOW
  • Level of authentication required is NONE
  • Impact of this vulnerability on data confidentiality is NONE
  • Impact of this vulnerability on data integrity is NONE
  • Impact of this vulnerability on data availability is COMPLETE
Temporal 5.8 (E:U/RL:OF/RC:C):
  • The exploitability level of this vulnerability is UNPROVEN
  • The remediation level of this vulnerability is OFFICIAL FIX
  • The report confidence level of this vulnerability is CONFIRMED
References http://downloads.asterisk.org/pub/security/AST-2013-002.html
http://telussecuritylabs.com/threats/show/TSL20130327-01
Related Threats