CVE-2012-5977
published 2013-01-04CVE-2012-5977: Asterisk Open Source 1.8.x before 1.8.19.1, 10.x before 10.11.1, and 11.x before 11.1.2; Certified Asterisk 1.8.11 before 1.8.11-cert10; and Asterisk…
PriorityP421medium4.3CVSS 2.0
AVNACMAuNCNINAP
EPSS
2.11%
79.4th percentile
Asterisk Open Source 1.8.x before 1.8.19.1, 10.x before 10.11.1, and 11.x before 11.1.2; Certified Asterisk 1.8.11 before 1.8.11-cert10; and Asterisk Digiumphones 10.x-digiumphones before 10.11.1-digiumphones, when anonymous calls are enabled, allow remote attackers to cause a denial of service (resource consumption) by making anonymous calls from multiple sources and consequently adding many entries to the device state cache.
Affected
81 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | asterisk | < asterisk 1:1.8.13.1~dfsg-2 (bullseye) | asterisk 1:1.8.13.1~dfsg-2 (bullseye) |
| digium | asterisk | <= 1.8.19.0 | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv4.3MEDIUM
vendor_debian4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-43h5-hjxq-m9rj: Asterisk Open Source 1
ghsa_unreviewed·2022-05-17
CVE-2012-5977 [MEDIUM] CWE-119 GHSA-43h5-hjxq-m9rj: Asterisk Open Source 1
Asterisk Open Source 1.8.x before 1.8.19.1, 10.x before 10.11.1, and 11.x before 11.1.2; Certified Asterisk 1.8.11 before 1.8.11-cert10; and Asterisk Digiumphones 10.x-digiumphones before 10.11.1-digiumphones, when anonymous calls are enabled, allow remote attackers to cause a denial of service (resource consumption) by making anonymous calls from multiple sources and consequently adding many entries to the device state cache.
OSV
CVE-2012-5977: Asterisk Open Source 1
osv·2013-01-04·CVSS 4.3
CVE-2012-5977 [MEDIUM] CVE-2012-5977: Asterisk Open Source 1
Asterisk Open Source 1.8.x before 1.8.19.1, 10.x before 10.11.1, and 11.x before 11.1.2; Certified Asterisk 1.8.11 before 1.8.11-cert10; and Asterisk Digiumphones 10.x-digiumphones before 10.11.1-digiumphones, when anonymous calls are enabled, allow remote attackers to cause a denial of service (resource consumption) by making anonymous calls from multiple sources and consequently adding many entries to the device state cache.
Debian
CVE-2012-5977: asterisk - Asterisk Open Source 1.8.x before 1.8.19.1, 10.x before 10.11.1, and 11.x before...
vendor_debian·2012·CVSS 4.3
CVE-2012-5977 [MEDIUM] CVE-2012-5977: asterisk - Asterisk Open Source 1.8.x before 1.8.19.1, 10.x before 10.11.1, and 11.x before...
Asterisk Open Source 1.8.x before 1.8.19.1, 10.x before 10.11.1, and 11.x before 11.1.2; Certified Asterisk 1.8.11 before 1.8.11-cert10; and Asterisk Digiumphones 10.x-digiumphones before 10.11.1-digiumphones, when anonymous calls are enabled, allow remote attackers to cause a denial of service (resource consumption) by making anonymous calls from multiple sources and consequently adding many entries to the device state cache.
Scope: local
bullseye: resolved (fixed in 1:1.8.13.1~dfsg-2)
sid: resolved (fixed in 1:1.8.13.1~dfsg-2)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2012-5977 asterisk: Denial of service through exploitation of device state caching (AST-2012-015)
bugzilla·2013-01-03·CVSS 4.3
CVE-2012-5977 [MEDIUM] CVE-2012-5977 asterisk: Denial of service through exploitation of device state caching (AST-2012-015)
CVE-2012-5977 asterisk: Denial of service through exploitation of device state caching (AST-2012-015)
A denial of service flaw was found in the way Asterisk, an open-source PBX software, performed management of its internal device cache in certain circumstances. A remote attacker could use this flaw to cause the asterisk executable to consume excessive amount of system resources via repeated anonymous calls with different sources of the particular anonymous call (forcing the asterisk binary continually to add new devices into its device cache).
References:
[1] http://downloads.asterisk.org/pub/security/AST-2012-015.html
Upstream patches:
[2] http://downloads.asterisk.org/pub/security/AST-2012-015-1.8.11.diff
[3] http://downloads.asterisk.org/pub/security/AST-2012-015-1.8.diff
[4] http:/
Bugzilla
CVE-2012-5976 CVE-2012-5977 asterisk various flaws [fedora-all]
bugzilla·2013-01-03·CVSS 5.0
CVE-2012-5976 [MEDIUM] CVE-2012-5976 CVE-2012-5977 asterisk various flaws [fedora-all]
CVE-2012-5976 CVE-2012-5977 asterisk various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affects multiple
Bugzilla
CVE-2012-5976 CVE-2012-5977 asterisk various flaws [epel-6]
bugzilla·2013-01-03·CVSS 5.0
CVE-2012-5976 [MEDIUM] CVE-2012-5976 CVE-2012-5977 asterisk various flaws [epel-6]
CVE-2012-5976 CVE-2012-5977 asterisk various flaws [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
epel-6 tracking bug for asterisk: see bl
http://downloads.asterisk.org/pub/security/AST-2012-015http://www.debian.org/security/2013/dsa-2605https://issues.asterisk.org/jira/browse/ASTERISK-20175http://downloads.asterisk.org/pub/security/AST-2012-015http://www.debian.org/security/2013/dsa-2605https://issues.asterisk.org/jira/browse/ASTERISK-20175
2013-01-04
Published