CVE-2012-5976
published 2013-01-04CVE-2012-5976: Multiple stack consumption vulnerabilities in Asterisk Open Source 1.8.x before 1.8.19.1, 10.x before 10.11.1, and 11.x before 11.1.2; Certified Asterisk…
PriorityP426medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
3.03%
85.8th percentile
Multiple stack consumption vulnerabilities in Asterisk Open Source 1.8.x before 1.8.19.1, 10.x before 10.11.1, and 11.x before 11.1.2; Certified Asterisk 1.8.11 before 1.8.11-cert10; and Asterisk Digiumphones 10.x-digiumphones before 10.11.1-digiumphones allow remote attackers to cause a denial of service (daemon crash) via TCP data using the (1) SIP, (2) HTTP, or (3) XMPP protocol.
Affected
187 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| asterisk | certified_asterisk | — | — |
| asterisk | certified_asterisk | — | — |
| asterisk | certified_asterisk | >= 0 < 1:1.8.13.1~dfsg-2 | 1:1.8.13.1~dfsg-2 |
| asterisk | digiumphones | — | — |
| asterisk | digiumphones | — | — |
| asterisk | digiumphones | — | — |
| asterisk | digiumphones | — | — |
| asterisk | digiumphones | — | — |
| asterisk | digiumphones | — | — |
| asterisk | digiumphones | — | — |
| asterisk | digiumphones | — | — |
| asterisk | digiumphones | — | — |
| asterisk | digiumphones | — | — |
| asterisk | digiumphones | — | — |
| asterisk | digiumphones | — | — |
| asterisk | digiumphones | — | — |
| asterisk | digiumphones | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
| asterisk | open_source | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-32mc-px3q-67r4: main/http
ghsa_unreviewed·2022-05-17·CVSS 5.0
CVE-2013-2686 [MEDIUM] CWE-119 GHSA-32mc-px3q-67r4: main/http
main/http.c in the HTTP server in Asterisk Open Source 1.8.x before 1.8.20.2, 10.x before 10.12.2, and 11.x before 11.2.2; Certified Asterisk 1.8.15 before 1.8.15-cert2; and Asterisk Digiumphones 10.x-digiumphones before 10.12.2-digiumphones does not properly restrict Content-Length values, which allows remote attackers to conduct stack-consumption attacks and cause a denial of service (daemon crash) via a crafted HTTP POST request. NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-5976.
GHSA
GHSA-3g3q-h95m-9mp2: Multiple stack consumption vulnerabilities in Asterisk Open Source 1
ghsa_unreviewed·2022-05-17
CVE-2012-5976 [MEDIUM] CWE-119 GHSA-3g3q-h95m-9mp2: Multiple stack consumption vulnerabilities in Asterisk Open Source 1
Multiple stack consumption vulnerabilities in Asterisk Open Source 1.8.x before 1.8.19.1, 10.x before 10.11.1, and 11.x before 11.1.2; Certified Asterisk 1.8.11 before 1.8.11-cert10; and Asterisk Digiumphones 10.x-digiumphones before 10.11.1-digiumphones allow remote attackers to cause a denial of service (daemon crash) via TCP data using the (1) SIP, (2) HTTP, or (3) XMPP protocol.
OSV
CVE-2013-2686: main/http
osv·2013-04-01·CVSS 5.0
CVE-2013-2686 [MEDIUM] CVE-2013-2686: main/http
main/http.c in the HTTP server in Asterisk Open Source 1.8.x before 1.8.20.2, 10.x before 10.12.2, and 11.x before 11.2.2; Certified Asterisk 1.8.15 before 1.8.15-cert2; and Asterisk Digiumphones 10.x-digiumphones before 10.12.2-digiumphones does not properly restrict Content-Length values, which allows remote attackers to conduct stack-consumption attacks and cause a denial of service (daemon crash) via a crafted HTTP POST request. NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-5976.
OSV
CVE-2012-5976: Multiple stack consumption vulnerabilities in Asterisk Open Source 1
osv·2013-01-04·CVSS 5.0
CVE-2012-5976 [MEDIUM] CVE-2012-5976: Multiple stack consumption vulnerabilities in Asterisk Open Source 1
Multiple stack consumption vulnerabilities in Asterisk Open Source 1.8.x before 1.8.19.1, 10.x before 10.11.1, and 11.x before 11.1.2; Certified Asterisk 1.8.11 before 1.8.11-cert10; and Asterisk Digiumphones 10.x-digiumphones before 10.11.1-digiumphones allow remote attackers to cause a denial of service (daemon crash) via TCP data using the (1) SIP, (2) HTTP, or (3) XMPP protocol.
Debian
CVE-2013-2686: asterisk - main/http.c in the HTTP server in Asterisk Open Source 1.8.x before 1.8.20.2, 10...
vendor_debian·2013·CVSS 5.0
CVE-2013-2686 [MEDIUM] CVE-2013-2686: asterisk - main/http.c in the HTTP server in Asterisk Open Source 1.8.x before 1.8.20.2, 10...
main/http.c in the HTTP server in Asterisk Open Source 1.8.x before 1.8.20.2, 10.x before 10.12.2, and 11.x before 11.2.2; Certified Asterisk 1.8.15 before 1.8.15-cert2; and Asterisk Digiumphones 10.x-digiumphones before 10.12.2-digiumphones does not properly restrict Content-Length values, which allows remote attackers to conduct stack-consumption attacks and cause a denial of service (daemon crash) via a crafted HTTP POST request. NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-5976.
Scope: local
bullseye: resolved (fixed in 1:1.8.13.1~dfsg-2)
sid: resolved (fixed in 1:1.8.13.1~dfsg-2)
Debian
CVE-2012-5976: asterisk - Multiple stack consumption vulnerabilities in Asterisk Open Source 1.8.x before ...
vendor_debian·2012·CVSS 5.0
CVE-2012-5976 [MEDIUM] CVE-2012-5976: asterisk - Multiple stack consumption vulnerabilities in Asterisk Open Source 1.8.x before ...
Multiple stack consumption vulnerabilities in Asterisk Open Source 1.8.x before 1.8.19.1, 10.x before 10.11.1, and 11.x before 11.1.2; Certified Asterisk 1.8.11 before 1.8.11-cert10; and Asterisk Digiumphones 10.x-digiumphones before 10.11.1-digiumphones allow remote attackers to cause a denial of service (daemon crash) via TCP data using the (1) SIP, (2) HTTP, or (3) XMPP protocol.
Scope: local
bullseye: resolved (fixed in 1:1.8.13.1~dfsg-2)
sid: resolved (fixed in 1:1.8.13.1~dfsg-2)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2012-5976 CVE-2012-5977 asterisk various flaws [fedora-all]
bugzilla·2013-01-03·CVSS 5.0
CVE-2012-5976 [MEDIUM] CVE-2012-5976 CVE-2012-5977 asterisk various flaws [fedora-all]
CVE-2012-5976 CVE-2012-5977 asterisk various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affects multiple
Bugzilla
CVE-2012-5976 asterisk: Crashes due to large stack allocations when using TCP (AST-2012-014)
bugzilla·2013-01-03·CVSS 5.0
CVE-2012-5976 [MEDIUM] CVE-2012-5976 asterisk: Crashes due to large stack allocations when using TCP (AST-2012-014)
CVE-2012-5976 asterisk: Crashes due to large stack allocations when using TCP (AST-2012-014)
Multiple stack-based buffer overflow flaws were found in the way Asterisk, the open-source PBX software, processed certain SIP, HTTP and XMPP protocol-based network messages. A remote attacker could use this flaw to cause asterisk executable to crash via specially-crafted SIP, HTTP or XMPP protocol messages.
References:
[1] http://downloads.asterisk.org/pub/security/AST-2012-014.html
Upstream patches:
[2] http://downloads.asterisk.org/pub/security/AST-2012-014-1.8.11.diff
[3] http://downloads.asterisk.org/pub/security/AST-2012-014-1.8.diff
[4] http://downloads.asterisk.org/pub/security/AST-2012-014-10.diff
[5] http://downloads.asterisk.org/pub/security/AST-2012-014-11.diff
[6] http://bugs.debian
Bugzilla
CVE-2012-5976 CVE-2012-5977 asterisk various flaws [epel-6]
bugzilla·2013-01-03·CVSS 5.0
CVE-2012-5976 [MEDIUM] CVE-2012-5976 CVE-2012-5977 asterisk various flaws [epel-6]
CVE-2012-5976 CVE-2012-5977 asterisk various flaws [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
epel-6 tracking bug for asterisk: see bl
2013-01-04
Published