CVE-2012-2416
published 2012-04-30CVE-2012-2416: chan_sip.c in the SIP channel driver in Asterisk Open Source 1.8.x before 1.8.11.1 and 10.x before 10.3.1 and Asterisk Business Edition C.3.x before C.3.7.4…
PriorityP425medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EPSS
2.19%
80.2th percentile
chan_sip.c in the SIP channel driver in Asterisk Open Source 1.8.x before 1.8.11.1 and 10.x before 10.3.1 and Asterisk Business Edition C.3.x before C.3.7.4, when the trustrpid option is enabled, allows remote authenticated users to cause a denial of service (daemon crash) by sending a SIP UPDATE message that triggers a connected-line update attempt without an associated channel.
Affected
76 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
CVSS provenance
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv6.5MEDIUM
vendor_debian6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2012-2416: asterisk - chan_sip.c in the SIP channel driver in Asterisk Open Source 1.8.x before 1.8.11...
vendor_debian·2012·CVSS 6.5
CVE-2012-2416 [MEDIUM] CVE-2012-2416: asterisk - chan_sip.c in the SIP channel driver in Asterisk Open Source 1.8.x before 1.8.11...
chan_sip.c in the SIP channel driver in Asterisk Open Source 1.8.x before 1.8.11.1 and 10.x before 10.3.1 and Asterisk Business Edition C.3.x before C.3.7.4, when the trustrpid option is enabled, allows remote authenticated users to cause a denial of service (daemon crash) by sending a SIP UPDATE message that triggers a connected-line update attempt without an associated channel.
Scope: local
bullseye: resolved (fixed in 1:1.8.11.1~dfsg-1)
sid: resolved (fixed in 1:1.8.11.1~dfsg-1)
GHSA
GHSA-86g6-76rg-wvxq: chan_sip
ghsa_unreviewed·2022-05-17
CVE-2012-2416 [MEDIUM] CWE-119 GHSA-86g6-76rg-wvxq: chan_sip
chan_sip.c in the SIP channel driver in Asterisk Open Source 1.8.x before 1.8.11.1 and 10.x before 10.3.1 and Asterisk Business Edition C.3.x before C.3.7.4, when the trustrpid option is enabled, allows remote authenticated users to cause a denial of service (daemon crash) by sending a SIP UPDATE message that triggers a connected-line update attempt without an associated channel.
OSV
CVE-2012-2416: chan_sip
osv·2012-04-30·CVSS 6.5
CVE-2012-2416 [MEDIUM] CVE-2012-2416: chan_sip
chan_sip.c in the SIP channel driver in Asterisk Open Source 1.8.x before 1.8.11.1 and 10.x before 10.3.1 and Asterisk Business Edition C.3.x before C.3.7.4, when the trustrpid option is enabled, allows remote authenticated users to cause a denial of service (daemon crash) by sending a SIP UPDATE message that triggers a connected-line update attempt without an associated channel.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2012-2414 CVE-2012-2415 CVE-2012-2416 asterisk various flaws [fedora-all]
bugzilla·2012-04-24·CVSS 6.5
CVE-2012-2414 [MEDIUM] CVE-2012-2414 CVE-2012-2415 CVE-2012-2416 asterisk various flaws [fedora-all]
CVE-2012-2414 CVE-2012-2415 CVE-2012-2416 asterisk various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=securi
Bugzilla
CVE-2012-2414 CVE-2012-2415 CVE-2012-2416 asterisk various flaws [epel-6]
bugzilla·2012-04-24·CVSS 6.5
CVE-2012-2414 [MEDIUM] CVE-2012-2414 CVE-2012-2415 CVE-2012-2416 asterisk various flaws [epel-6]
CVE-2012-2414 CVE-2012-2415 CVE-2012-2416 asterisk various flaws [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&b
Bugzilla
CVE-2012-2416 asterisk: Crash by processing certain UPDATE requests in SIP channel driver (AST-2012-006)
bugzilla·2012-04-24·CVSS 6.5
CVE-2012-2416 [MEDIUM] CVE-2012-2416 asterisk: Crash by processing certain UPDATE requests in SIP channel driver (AST-2012-006)
CVE-2012-2416 asterisk: Crash by processing certain UPDATE requests in SIP channel driver (AST-2012-006)
A denial of service (asterisk crash) was found in the way Session Initiation Protocol (SIP) channel implementation (SIP driver) of the Asterisk, an open-source telephony toolkit processed certain SIP UPDATE requests, when the 'trustrpid' option was enabled. A remote attacker, able to properly time the SIP update request arrival, [it to come within (after call was terminated and associated channel object has been destroyed, but before SIP dialog associated with the call has been destroyed) interval] could use this flaw to cause asterisk executable crash.
Upstream advisory:
http://downloads.asterisk.org/pub/security/AST-2012-006.html
Upstream patch (against the v1.8 branch):
http://dow
http://downloads.asterisk.org/pub/security/AST-2012-006.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-May/079759.htmlhttp://osvdb.org/81456http://secunia.com/advisories/48891http://www.securityfocus.com/bid/53205http://www.securitytracker.com/id?1026963https://exchange.xforce.ibmcloud.com/vulnerabilities/75101https://issues.asterisk.org/jira/browse/ASTERISK-19770http://downloads.asterisk.org/pub/security/AST-2012-006.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-May/079759.htmlhttp://osvdb.org/81456http://secunia.com/advisories/48891http://www.securityfocus.com/bid/53205http://www.securitytracker.com/id?1026963https://exchange.xforce.ibmcloud.com/vulnerabilities/75101https://issues.asterisk.org/jira/browse/ASTERISK-19770
2012-04-30
Published