CVE-2012-2416Improper Restriction of Operations within the Bounds of a Memory Buffer in Asterisk

CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer7 documents5 sources
Severity
6.5MEDIUMNVD
EPSS
5.0%
top 10.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Debian AsteriskAsterisk Open Source
Timeline
PublishedApr 30
Latest updateMay 17

Description

chan_sip.c in the SIP channel driver in Asterisk Open Source 1.8.x before 1.8.11.1 and 10.x before 10.3.1 and Asterisk Business Edition C.3.x before C.3.7.4, when the trustrpid option is enabled, allows remote authenticated users to cause a denial of service (daemon crash) by sending a SIP UPDATE message that triggers a connected-line update attempt without an associated channel.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 8.0 | Impact: 6.4

Affected Packages2 packages

NVDasterisk/open_source75 versions+74
debiandebian/asterisk< asterisk 1:1.8.11.1~dfsg-1 (bullseye)

Patches

Patch: downloads.asterisk.orgPatch: downloads.asterisk.org

🔴Vulnerability Details

2
GHSA
GHSA-86g6-76rg-wvxq: chan_sip2022-05-17
OSV
CVE-2012-2416: chan_sip2012-04-30

📋Vendor Advisories

1
Debian
CVE-2012-2416: asterisk - chan_sip.c in the SIP channel driver in Asterisk Open Source 1.8.x before 1.8.11...2012

💬Community

3
Bugzilla
CVE-2012-2414 CVE-2012-2415 CVE-2012-2416 asterisk various flaws [fedora-all]2012-04-24
Bugzilla
CVE-2012-2414 CVE-2012-2415 CVE-2012-2416 asterisk various flaws [epel-6]2012-04-24
Bugzilla
CVE-2012-2416 asterisk: Crash by processing certain UPDATE requests in SIP channel driver (AST-2012-006)2012-04-24
CVE-2012-2416 — Debian Asterisk vulnerability | cvebase