CVE-2012-2415
published 2012-04-30CVE-2012-2415: Heap-based buffer overflow in chan_skinny.c in the Skinny channel driver in Asterisk Open Source 1.6.2.x before 1.6.2.24, 1.8.x before 1.8.11.1, and 10.x…
PriorityP428medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EPSS
2.72%
84.2th percentile
Heap-based buffer overflow in chan_skinny.c in the Skinny channel driver in Asterisk Open Source 1.6.2.x before 1.6.2.24, 1.8.x before 1.8.11.1, and 10.x before 10.3.1 allows remote authenticated users to cause a denial of service or possibly have unspecified other impact via a series of KEYPAD_BUTTON_MESSAGE events.
Affected
76 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
CVSS provenance
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv6.5MEDIUM
vendor_debian6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2012-2415: asterisk - Heap-based buffer overflow in chan_skinny.c in the Skinny channel driver in Aste...
vendor_debian·2012·CVSS 6.5
CVE-2012-2415 [MEDIUM] CVE-2012-2415: asterisk - Heap-based buffer overflow in chan_skinny.c in the Skinny channel driver in Aste...
Heap-based buffer overflow in chan_skinny.c in the Skinny channel driver in Asterisk Open Source 1.6.2.x before 1.6.2.24, 1.8.x before 1.8.11.1, and 10.x before 10.3.1 allows remote authenticated users to cause a denial of service or possibly have unspecified other impact via a series of KEYPAD_BUTTON_MESSAGE events.
Scope: local
bullseye: resolved (fixed in 1:1.8.11.1~dfsg-1)
sid: resolved (fixed in 1:1.8.11.1~dfsg-1)
GHSA
GHSA-gq8c-3hw4-vx45: Heap-based buffer overflow in chan_skinny
ghsa_unreviewed·2022-05-17
CVE-2012-2415 [MEDIUM] CWE-119 GHSA-gq8c-3hw4-vx45: Heap-based buffer overflow in chan_skinny
Heap-based buffer overflow in chan_skinny.c in the Skinny channel driver in Asterisk Open Source 1.6.2.x before 1.6.2.24, 1.8.x before 1.8.11.1, and 10.x before 10.3.1 allows remote authenticated users to cause a denial of service or possibly have unspecified other impact via a series of KEYPAD_BUTTON_MESSAGE events.
OSV
CVE-2012-2415: Heap-based buffer overflow in chan_skinny
osv·2012-04-30·CVSS 6.5
CVE-2012-2415 [MEDIUM] CVE-2012-2415: Heap-based buffer overflow in chan_skinny
Heap-based buffer overflow in chan_skinny.c in the Skinny channel driver in Asterisk Open Source 1.6.2.x before 1.6.2.24, 1.8.x before 1.8.11.1, and 10.x before 10.3.1 allows remote authenticated users to cause a denial of service or possibly have unspecified other impact via a series of KEYPAD_BUTTON_MESSAGE events.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2012-2414 CVE-2012-2415 CVE-2012-2416 asterisk various flaws [fedora-all]
bugzilla·2012-04-24·CVSS 6.5
CVE-2012-2414 [MEDIUM] CVE-2012-2414 CVE-2012-2415 CVE-2012-2416 asterisk various flaws [fedora-all]
CVE-2012-2414 CVE-2012-2415 CVE-2012-2416 asterisk various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=securi
Bugzilla
CVE-2012-2414 CVE-2012-2415 CVE-2012-2416 asterisk various flaws [epel-6]
bugzilla·2012-04-24·CVSS 6.5
CVE-2012-2414 [MEDIUM] CVE-2012-2414 CVE-2012-2415 CVE-2012-2416 asterisk various flaws [epel-6]
CVE-2012-2414 CVE-2012-2415 CVE-2012-2416 asterisk various flaws [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&b
Bugzilla
CVE-2012-2415 asterisk: Heap buffer overflow in Skinny channel driver (AST-2012-005)
bugzilla·2012-04-24·CVSS 6.5
CVE-2012-2415 [MEDIUM] CVE-2012-2415 asterisk: Heap buffer overflow in Skinny channel driver (AST-2012-005)
CVE-2012-2415 asterisk: Heap buffer overflow in Skinny channel driver (AST-2012-005)
A heap-based buffer overflow flaw was found in the way the Skinny protocol implementation (Skinny driver) of the Asterisk, an open-source telephony toolkit processed certain protocol messages. A remote attacker could send a specially-crafted KEYPAD_BUTTON_MESSAGE event, which once processed by the Asterisk's Skinny driver would lead to asterisk executable crash, or, potentially arbitrary code execution with the privileges of the user running Asterisk.
Upstream advisory:
http://downloads.asterisk.org/pub/security/AST-2012-005.html
Upstream patch (against the v1.8 branch):
http://downloads.asterisk.org/pub/security/AST-2012-005-1.6.2.diff
Upstream patch (against the v1.10 branch):
http://downloads.asteri
http://downloads.asterisk.org/pub/security/AST-2012-005.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-May/079759.htmlhttp://osvdb.org/81455http://secunia.com/advisories/48891http://secunia.com/advisories/48941http://www.debian.org/security/2012/dsa-2460http://www.securityfocus.com/bid/53210http://www.securitytracker.com/id?1026962https://exchange.xforce.ibmcloud.com/vulnerabilities/75102http://downloads.asterisk.org/pub/security/AST-2012-005.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-May/079759.htmlhttp://osvdb.org/81455http://secunia.com/advisories/48891http://secunia.com/advisories/48941http://www.debian.org/security/2012/dsa-2460http://www.securityfocus.com/bid/53210http://www.securitytracker.com/id?1026962https://exchange.xforce.ibmcloud.com/vulnerabilities/75102
2012-04-30
Published