CVE-2012-3863
published 2012-07-09CVE-2012-3863: channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.13.1 and 10.x before 10.5.2, Asterisk Business Edition C.3.x before C.3.7.5, Certified Asterisk…
PriorityP418medium4CVSS 2.0
AVNACLAuSCNINAP
EPSS
3.20%
86.5th percentile
channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.13.1 and 10.x before 10.5.2, Asterisk Business Edition C.3.x before C.3.7.5, Certified Asterisk 1.8.11-certx before 1.8.11-cert4, and Asterisk Digiumphones 10.x.x-digiumphones before 10.5.2-digiumphones does not properly handle a provisional response to a SIP reINVITE request, which allows remote authenticated users to cause a denial of service (RTP port exhaustion) via sessions that lack final responses.
Affected
55 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | asterisk | < asterisk 1:1.8.13.1~dfsg-1 (bullseye) | asterisk 1:1.8.13.1~dfsg-1 (bullseye) |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
CVSS provenance
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:N/A:P
osv4.0MEDIUM
vendor_debian4.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6fc4-87xv-rxjx: channels/chan_sip
ghsa_unreviewed·2022-05-17
CVE-2012-3863 [MEDIUM] GHSA-6fc4-87xv-rxjx: channels/chan_sip
channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.13.1 and 10.x before 10.5.2, Asterisk Business Edition C.3.x before C.3.7.5, Certified Asterisk 1.8.11-certx before 1.8.11-cert4, and Asterisk Digiumphones 10.x.x-digiumphones before 10.5.2-digiumphones does not properly handle a provisional response to a SIP reINVITE request, which allows remote authenticated users to cause a denial of service (RTP port exhaustion) via sessions that lack final responses.
OSV
CVE-2012-3863: channels/chan_sip
osv·2012-07-09·CVSS 4.0
CVE-2012-3863 [MEDIUM] CVE-2012-3863: channels/chan_sip
channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.13.1 and 10.x before 10.5.2, Asterisk Business Edition C.3.x before C.3.7.5, Certified Asterisk 1.8.11-certx before 1.8.11-cert4, and Asterisk Digiumphones 10.x.x-digiumphones before 10.5.2-digiumphones does not properly handle a provisional response to a SIP reINVITE request, which allows remote authenticated users to cause a denial of service (RTP port exhaustion) via sessions that lack final responses.
Debian
CVE-2012-3863: asterisk - channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.13.1 and 10.x befor...
vendor_debian·2012·CVSS 4.0
CVE-2012-3863 [MEDIUM] CVE-2012-3863: asterisk - channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.13.1 and 10.x befor...
channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.13.1 and 10.x before 10.5.2, Asterisk Business Edition C.3.x before C.3.7.5, Certified Asterisk 1.8.11-certx before 1.8.11-cert4, and Asterisk Digiumphones 10.x.x-digiumphones before 10.5.2-digiumphones does not properly handle a provisional response to a SIP reINVITE request, which allows remote authenticated users to cause a denial of service (RTP port exhaustion) via sessions that lack final responses.
Scope: local
bullseye: resolved (fixed in 1:1.8.13.1~dfsg-1)
sid: resolved (fixed in 1:1.8.13.1~dfsg-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2012-3863 CVE-2012-3812 asterisk various flaws [fedora-16]
bugzilla·2012-07-06·CVSS 4.0
CVE-2012-3863 [MEDIUM] CVE-2012-3863 CVE-2012-3812 asterisk various flaws [fedora-16]
CVE-2012-3863 CVE-2012-3812 asterisk various flaws [fedora-16]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=838178
Bugzilla
CVE-2012-3863 asterisk: Possible resource leak on uncompleted re-invite transactions
bugzilla·2012-07-06·CVSS 4.0
CVE-2012-3863 [MEDIUM] CVE-2012-3863 asterisk: Possible resource leak on uncompleted re-invite transactions
CVE-2012-3863 asterisk: Possible resource leak on uncompleted re-invite transactions
AST-2012-010
If Asterisk sends a re-invite and an endpoint responds to the re-invite with a provisional response but never sends a final response, then the SIP dialog structure is never freed and the RTP ports for the call are never released. If an attacker has the ability to place a call, they could create a denial of service by using all available RTP ports.
References:
http://downloads.asterisk.org/pub/security/AST-2012-010.pdf
http://downloads.asterisk.org/pub/security/AST-2012-010.txt
http://downloads.asterisk.org/pub/security/AST-2012-010-10.diff
http://downloads.asterisk.org/pub/security/AST-2012-010-1.8.diff
Discussion:
Created asterisk tracking bugs for this issue
Affects: fedora-17 [bug 83
Bugzilla
CVE-2012-3863 CVE-2012-3812 asterisk various flaws [fedora-17]
bugzilla·2012-07-06·CVSS 4.0
CVE-2012-3863 [MEDIUM] CVE-2012-3863 CVE-2012-3812 asterisk various flaws [fedora-17]
CVE-2012-3863 CVE-2012-3812 asterisk various flaws [fedora-17]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=838178
Bugzilla
CVE-2012-3863 CVE-2012-3812 asterisk various flaws [epel-6]
bugzilla·2012-07-06·CVSS 4.0
CVE-2012-3863 [MEDIUM] CVE-2012-3863 CVE-2012-3812 asterisk various flaws [epel-6]
CVE-2012-3863 CVE-2012-3812 asterisk various flaws [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=838178
ep
http://downloads.asterisk.org/pub/security/AST-2012-010.htmlhttp://secunia.com/advisories/50687http://secunia.com/advisories/50756http://www.debian.org/security/2012/dsa-2550http://www.securityfocus.com/bid/54327https://issues.asterisk.org/jira/browse/ASTERISK-19992http://downloads.asterisk.org/pub/security/AST-2012-010.htmlhttp://secunia.com/advisories/50687http://secunia.com/advisories/50756http://www.debian.org/security/2012/dsa-2550http://www.securityfocus.com/bid/54327https://issues.asterisk.org/jira/browse/ASTERISK-19992
2012-07-09
Published