CVE-2012-4737
published 2012-08-31CVE-2012-4737: channels/chan_iax2.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert7, Asterisk Digiumphones…
PriorityP428medium6CVSS 2.0
AVNACMAuSCPIPAP
EPSS
1.49%
70.9th percentile
channels/chan_iax2.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert7, Asterisk Digiumphones 10.x.x-digiumphones before 10.7.1-digiumphones, and Asterisk Business Edition C.3.x before C.3.7.6 does not enforce ACL rules during certain uses of peer credentials, which allows remote authenticated users to bypass intended outbound-call restrictions by leveraging the availability of these credentials.
Affected
73 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | asterisk | < asterisk 1:1.8.13.1~dfsg-1 (bullseye) | asterisk 1:1.8.13.1~dfsg-1 (bullseye) |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
CVSS provenance
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
osv6.0MEDIUM
vendor_debian6.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5hf4-mrr5-f9rh: channels/chan_iax2
ghsa_unreviewed·2022-05-17
CVE-2012-4737 [MEDIUM] GHSA-5hf4-mrr5-f9rh: channels/chan_iax2
channels/chan_iax2.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert7, Asterisk Digiumphones 10.x.x-digiumphones before 10.7.1-digiumphones, and Asterisk Business Edition C.3.x before C.3.7.6 does not enforce ACL rules during certain uses of peer credentials, which allows remote authenticated users to bypass intended outbound-call restrictions by leveraging the availability of these credentials.
OSV
CVE-2012-4737: channels/chan_iax2
osv·2012-08-31·CVSS 6.0
CVE-2012-4737 [MEDIUM] CVE-2012-4737: channels/chan_iax2
channels/chan_iax2.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert7, Asterisk Digiumphones 10.x.x-digiumphones before 10.7.1-digiumphones, and Asterisk Business Edition C.3.x before C.3.7.6 does not enforce ACL rules during certain uses of peer credentials, which allows remote authenticated users to bypass intended outbound-call restrictions by leveraging the availability of these credentials.
Debian
CVE-2012-4737: asterisk - channels/chan_iax2.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x befo...
vendor_debian·2012·CVSS 6.0
CVE-2012-4737 [MEDIUM] CVE-2012-4737: asterisk - channels/chan_iax2.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x befo...
channels/chan_iax2.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert7, Asterisk Digiumphones 10.x.x-digiumphones before 10.7.1-digiumphones, and Asterisk Business Edition C.3.x before C.3.7.6 does not enforce ACL rules during certain uses of peer credentials, which allows remote authenticated users to bypass intended outbound-call restrictions by leveraging the availability of these credentials.
Scope: local
bullseye: resolved (fixed in 1:1.8.13.1~dfsg-1)
sid: resolved (fixed in 1:1.8.13.1~dfsg-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2012-4737 Asterisk: ACL rules ignored when placing outbound calls by certain IAX2 users [fedora-16]
bugzilla·2012-08-31·CVSS 6.0
CVE-2012-4737 [MEDIUM] CVE-2012-4737 Asterisk: ACL rules ignored when placing outbound calls by certain IAX2 users [fedora-16]
CVE-2012-4737 Asterisk: ACL rules ignored when placing outbound calls by certain IAX2 users [fedora-16]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org
Bugzilla
CVE-2012-4737 Asterisk: ACL rules ignored when placing outbound calls by certain IAX2 users [fedora-17]
bugzilla·2012-08-31·CVSS 6.0
CVE-2012-4737 [MEDIUM] CVE-2012-4737 Asterisk: ACL rules ignored when placing outbound calls by certain IAX2 users [fedora-17]
CVE-2012-4737 Asterisk: ACL rules ignored when placing outbound calls by certain IAX2 users [fedora-17]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org
Bugzilla
CVE-2012-4737 Asterisk: ACL rules ignored when placing outbound calls by certain IAX2 users [epel-6]
bugzilla·2012-08-31·CVSS 6.0
CVE-2012-4737 [MEDIUM] CVE-2012-4737 Asterisk: ACL rules ignored when placing outbound calls by certain IAX2 users [epel-6]
CVE-2012-4737 Asterisk: ACL rules ignored when placing outbound calls by certain IAX2 users [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/up
Bugzilla
CVE-2012-4737 Asterisk: ACL rules ignored when placing outbound calls by certain IAX2 users
bugzilla·2012-08-31·CVSS 6.0
CVE-2012-4737 [MEDIUM] CVE-2012-4737 Asterisk: ACL rules ignored when placing outbound calls by certain IAX2 users
CVE-2012-4737 Asterisk: ACL rules ignored when placing outbound calls by certain IAX2 users
AST-2012-013
When an IAX2 call is made using the credentials of a peer defined in a dynamic
Asterisk Realtime Architecture (ARA) backend, the ACL rules for that peer are not
applied to the call attempt. This allows for a remote attacker who is aware of a
peer's credentials to bypass the ACL rules set for that peer.
This was originally reported by "Alan Frisch"
http://downloads.asterisk.org/pub/security/AST-2012-013.pdf
http://downloads.asterisk.org/pub/security/AST-2012-013.1.8.diff
http://downloads.asterisk.org/pub/security/AST-2012-013.10.diff
Discussion:
Created asterisk tracking bugs for this issue
Affects: fedora-16 [bug 853527]
---
Created asterisk tracking bugs for this issue
Affect
http://downloads.asterisk.org/pub/security/AST-2012-013.htmlhttp://secunia.com/advisories/50687http://secunia.com/advisories/50756http://www.debian.org/security/2012/dsa-2550http://www.securityfocus.com/bid/55335http://www.securitytracker.com/id?1027461http://downloads.asterisk.org/pub/security/AST-2012-013.htmlhttp://secunia.com/advisories/50687http://secunia.com/advisories/50756http://www.debian.org/security/2012/dsa-2550http://www.securityfocus.com/bid/55335http://www.securitytracker.com/id?1027461
2012-08-31
Published