CVE-2014-2287
published 2014-04-18CVE-2014-2287: channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1, and 12.1.x before 12.1.1, and Certified Asterisk 1.8.15 before…
PriorityP416low3.5CVSS 2.0
AVNACMAuSCNINAP
EPSS
2.44%
82.3th percentile
channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1, and 12.1.x before 12.1.1, and Certified Asterisk 1.8.15 before 1.8.15-cert5 and 11.6 before 11.6-cert2, when chan_sip has a certain configuration, allows remote authenticated users to cause a denial of service (channel and file descriptor consumption) via an INVITE request with a (1) Session-Expires or (2) Min-SE header with a malformed or invalid value.
Affected
85 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | asterisk | < asterisk 1:11.8.1~dfsg-1 (bullseye) | asterisk 1:11.8.1~dfsg-1 (bullseye) |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
CVSS provenance
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:N/A:P
osv3.5LOW
vendor_debian3.5LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8x96-f2vc-6qpf: channels/chan_sip
ghsa_unreviewed·2022-05-17
CVE-2014-2287 [LOW] CWE-20 GHSA-8x96-f2vc-6qpf: channels/chan_sip
channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1, and 12.1.x before 12.1.1, and Certified Asterisk 1.8.15 before 1.8.15-cert5 and 11.6 before 11.6-cert2, when chan_sip has a certain configuration, allows remote authenticated users to cause a denial of service (channel and file descriptor consumption) via an INVITE request with a (1) Session-Expires or (2) Min-SE header with a malformed or invalid value.
OSV
CVE-2014-2287: channels/chan_sip
osv·2014-04-18·CVSS 3.5
CVE-2014-2287 [LOW] CVE-2014-2287: channels/chan_sip
channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1, and 12.1.x before 12.1.1, and Certified Asterisk 1.8.15 before 1.8.15-cert5 and 11.6 before 11.6-cert2, when chan_sip has a certain configuration, allows remote authenticated users to cause a denial of service (channel and file descriptor consumption) via an INVITE request with a (1) Session-Expires or (2) Min-SE header with a malformed or invalid value.
Debian
CVE-2014-2287: asterisk - channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before...
vendor_debian·2014·CVSS 3.5
CVE-2014-2287 [LOW] CVE-2014-2287: asterisk - channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before...
channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1, and 12.1.x before 12.1.1, and Certified Asterisk 1.8.15 before 1.8.15-cert5 and 11.6 before 11.6-cert2, when chan_sip has a certain configuration, allows remote authenticated users to cause a denial of service (channel and file descriptor consumption) via an INVITE request with a (1) Session-Expires or (2) Min-SE header with a malformed or invalid value.
Scope: local
bullseye: resolved (fixed in 1:11.8.1~dfsg-1)
sid: resolved (fixed in 1:11.8.1~dfsg-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-2286 CVE-2014-2287 asterisk: various flaws [epel-6]
bugzilla·2014-03-11·CVSS 7.5
CVE-2014-2286 [HIGH] CVE-2014-2286 CVE-2014-2287 asterisk: various flaws [epel-6]
CVE-2014-2286 CVE-2014-2287 asterisk: various flaws [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
epel-6 tracking bug for asterisk: see b
Bugzilla
CVE-2014-2287 asterisk: remote denial of service via file descriptor exhaustion (AST-2014-002)
bugzilla·2014-03-11·CVSS 3.5
CVE-2014-2287 [LOW] CVE-2014-2287 asterisk: remote denial of service via file descriptor exhaustion (AST-2014-002)
CVE-2014-2287 asterisk: remote denial of service via file descriptor exhaustion (AST-2014-002)
A remote denial of service flaw was found in Asterisk. This could be used to cause Asterisk to hit the open file descriptor limit, preventing it from handling further requests. The upstream advisory (http://downloads.asterisk.org/pub/security/AST-2014-002.html) notes the attacker requires "Valid account credentials or anonymous dial in" and "A valid extension that can be dialed from the SIP account".
This issue affected all 1.8.x and 11.x versions. It has been corrected in versions 1.8.26.1 and 11.8.1.
Upstream patches:
http://downloads.asterisk.org/pub/security/AST-2014-002-1.8.diff
http://downloads.asterisk.org/pub/security/AST-2014-002-11.diff
External References:
http://downloads.asterisk
Bugzilla
CVE-2014-2286 CVE-2014-2287 asterisk: various flaws [fedora-all]
bugzilla·2014-03-11·CVSS 7.5
CVE-2014-2286 [HIGH] CVE-2014-2286 CVE-2014-2287 asterisk: various flaws [fedora-all]
CVE-2014-2286 CVE-2014-2287 asterisk: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affects multiple
http://downloads.asterisk.org/pub/security/AST-2014-002-1.8.diffhttp://downloads.asterisk.org/pub/security/AST-2014-002.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-March/130400.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-March/130426.htmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2014:078http://www.securityfocus.com/bid/66094https://issues.asterisk.org/jira/browse/ASTERISK-23373http://downloads.asterisk.org/pub/security/AST-2014-002-1.8.diffhttp://downloads.asterisk.org/pub/security/AST-2014-002.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-March/130400.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-March/130426.htmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2014:078http://www.securityfocus.com/bid/66094https://issues.asterisk.org/jira/browse/ASTERISK-23373
2014-04-18
Published