CVE-2012-0885
published 2012-01-25CVE-2012-0885: chan_sip.c in Asterisk Open Source 1.8.x before 1.8.8.2 and 10.x before 10.0.1, when the res_srtp module is used and media support is improperly configured…
PriorityP416medium4.3CVSS 2.0
AVNACMAuNCNINAP
EPSS
2.50%
82.7th percentile
chan_sip.c in Asterisk Open Source 1.8.x before 1.8.8.2 and 10.x before 10.0.1, when the res_srtp module is used and media support is improperly configured, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted SDP message with a crypto attribute and a (1) video or (2) text media type, as demonstrated by CSipSimple.
Affected
28 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv4.3MEDIUM
vendor_debian4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2012-0885: asterisk - chan_sip.c in Asterisk Open Source 1.8.x before 1.8.8.2 and 10.x before 10.0.1, ...
vendor_debian·2012·CVSS 4.3
CVE-2012-0885 [MEDIUM] CVE-2012-0885: asterisk - chan_sip.c in Asterisk Open Source 1.8.x before 1.8.8.2 and 10.x before 10.0.1, ...
chan_sip.c in Asterisk Open Source 1.8.x before 1.8.8.2 and 10.x before 10.0.1, when the res_srtp module is used and media support is improperly configured, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted SDP message with a crypto attribute and a (1) video or (2) text media type, as demonstrated by CSipSimple.
Scope: local
bullseye: resolved (fixed in 1:1.8.8.2~dfsg-1)
sid: resolved (fixed in 1:1.8.8.2~dfsg-1)
GHSA
GHSA-5p63-p7g2-xmmx: chan_sip
ghsa_unreviewed·2022-05-17
CVE-2012-0885 [MEDIUM] GHSA-5p63-p7g2-xmmx: chan_sip
chan_sip.c in Asterisk Open Source 1.8.x before 1.8.8.2 and 10.x before 10.0.1, when the res_srtp module is used and media support is improperly configured, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted SDP message with a crypto attribute and a (1) video or (2) text media type, as demonstrated by CSipSimple.
OSV
CVE-2012-0885: chan_sip
osv·2012-01-25·CVSS 4.3
CVE-2012-0885 [MEDIUM] CVE-2012-0885: chan_sip
chan_sip.c in Asterisk Open Source 1.8.x before 1.8.8.2 and 10.x before 10.0.1, when the res_srtp module is used and media support is improperly configured, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted SDP message with a crypto attribute and a (1) video or (2) text media type, as demonstrated by CSipSimple.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2012-0885 asterisk: Remote DoS while processing crypto line for media stream with non-existing RTP [fedora-all]
bugzilla·2012-01-20·CVSS 4.3
CVE-2012-0885 [MEDIUM] CVE-2012-0885 asterisk: Remote DoS while processing crypto line for media stream with non-existing RTP [fedora-all]
CVE-2012-0885 asterisk: Remote DoS while processing crypto line for media stream with non-existing RTP [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedor
Bugzilla
CVE-2012-0885 asterisk: Remote DoS while processing crypto line for media stream with non-existing RTP
bugzilla·2012-01-20·CVSS 4.3
CVE-2012-0885 [MEDIUM] CVE-2012-0885 asterisk: Remote DoS while processing crypto line for media stream with non-existing RTP
CVE-2012-0885 asterisk: Remote DoS while processing crypto line for media stream with non-existing RTP
A denial of service flaw was found in the way asterisk processed certain requests to negotiate secure video stream, when the res_srtp Asterisk module has been loaded and video support has not been enabled. A remote attacker could provide a specially-crafted media stream negotiation request, which once processed by Asterisk would lead to asterisk daemon crash by processing crypto line for such media stream.
References:
[1] http://downloads.asterisk.org/pub/security/AST-2012-001.html
[2] https://issues.asterisk.org/jira/browse/ASTERISK-19202
Upstream patch against the v1.8.x branch:
[3] http://downloads.asterisk.org/pub/security/AST-2012-001-1.8.diff
Upstream patch against the v1.10.x b
Bugzilla
CVE-2012-0885 asterisk: Remote DoS while processing crypto line for media stream with non-existing RTP [epel-6]
bugzilla·2012-01-20·CVSS 4.3
CVE-2012-0885 [MEDIUM] CVE-2012-0885 asterisk: Remote DoS while processing crypto line for media stream with non-existing RTP [epel-6]
CVE-2012-0885 asterisk: Remote DoS while processing crypto line for media stream with non-existing RTP [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedorapro
http://downloads.asterisk.org/pub/security/AST-2012-001-1.8.diffhttp://downloads.asterisk.org/pub/security/AST-2012-001-10.diffhttp://downloads.asterisk.org/pub/security/AST-2012-001.htmlhttp://www.openwall.com/lists/oss-security/2012/01/20/16http://www.openwall.com/lists/oss-security/2012/01/20/18https://bugzilla.redhat.com/show_bug.cgi?id=783487https://issues.asterisk.org/jira/browse/ASTERISK-19202https://issues.asterisk.org/jira/secure/attachment/42202/issueA19202_crypto_if_uninited_text_or_video.patchhttp://downloads.asterisk.org/pub/security/AST-2012-001-1.8.diffhttp://downloads.asterisk.org/pub/security/AST-2012-001-10.diffhttp://downloads.asterisk.org/pub/security/AST-2012-001.htmlhttp://www.openwall.com/lists/oss-security/2012/01/20/16http://www.openwall.com/lists/oss-security/2012/01/20/18https://bugzilla.redhat.com/show_bug.cgi?id=783487https://issues.asterisk.org/jira/browse/ASTERISK-19202https://issues.asterisk.org/jira/secure/attachment/42202/issueA19202_crypto_if_uninited_text_or_video.patch
2012-01-25
Published