Vulnerability CVE-2007-2297

Vulnerability Name:

CVE-2007-2297 (CCN-33892)

Assigned:

2007-04-25

Published:

2007-04-25

Updated:

2018-10-16

Summary:

The SIP channel driver (chan_sip) in Asterisk before 1.2.18 and 1.4.x before 1.4.3 does not properly parse SIP UDP packets that do not contain a valid response code, which allows remote attackers to cause a denial of service (crash).

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

7.8 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
5.8 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

CWE-Other

Vulnerability Consequences:

Denial of Service

References:

Source: CCN
Type: Full-Disclosure Mailing List, Tue Apr 24 2007 - 18:22:21 CDT
ASA-2007-011: Multiple problems in SIP channel parser handling response codes

Source: CCN
Type: Asterisk Web site
Asterisk- Downloads

Source: CCN
Type: ASA-2007-011
Multiple problems in SIP channel parser handling response codes

Source: MISC
Type: UNKNOWN
http://bugs.digium.com/view.php?id=9313

Source: MITRE
Type: CNA
CVE-2007-2297

Source: SECUNIA
Type: UNKNOWN
25582

Source: SREASON
Type: UNKNOWN
2644

Source: CCN
Type: SECTRACK ID: 1017954
Asterisk SIP Error Response Handling Bugs Let Remote Users Deny Service

Source: CONFIRM
Type: UNKNOWN
http://www.asterisk.org/files/ASA-2007-011.pdf

Source: DEBIAN
Type: UNKNOWN
DSA-1358

Source: DEBIAN
Type: DSA-1358
asterisk -- several vulnerabilities

Source: SUSE
Type: UNKNOWN
SUSE-SA:2007:034

Source: CCN
Type: OSVDB ID: 34482
Asterisk SIP Channel Driver (chan_sip) SIP Malformed UDP Packet DoS

Source: BUGTRAQ
Type: UNKNOWN
20070425 ASA-2007-011: Multiple problems in SIP channel parser handling response codes

Source: BID
Type: UNKNOWN
24359

Source: CCN
Type: BID-24359
Asterisk SIP Channel Driver UDP Packets Remote Denial of Service Vulnerability

Source: SECTRACK
Type: Patch
1017954

Source: XF
Type: UNKNOWN
asterisk-sip-response-dos(33892)

Source: XF
Type: UNKNOWN
asterisk-sip-response-dos(33892)

Source: SUSE
Type: SUSE-SA:2007:034
Asterisk security update

Vulnerable Configuration:

Configuration 1:

cpe:/a:asterisk:asterisk:1.2.0_beta1:*:*:*:*:*:*:*

OR cpe:/a:asterisk:asterisk:1.2.0_beta2:*:*:*:*:*:*:*

OR cpe:/a:asterisk:asterisk:1.2.10:*:*:*:*:*:*:*

OR cpe:/a:asterisk:asterisk:1.2.11:*:*:*:*:*:*:*

OR cpe:/a:asterisk:asterisk:1.2.12:*:*:*:*:*:*:*

OR cpe:/a:asterisk:asterisk:1.2.13:*:*:*:*:*:*:*

OR cpe:/a:asterisk:asterisk:1.2.14:*:*:*:*:*:*:*

OR cpe:/a:asterisk:asterisk:1.2.15:*:*:*:*:*:*:*

OR cpe:/a:asterisk:asterisk:1.2.16:*:*:*:*:*:*:*

OR cpe:/a:asterisk:asterisk:1.2.17:*:*:*:*:*:*:*

OR cpe:/a:asterisk:asterisk:1.4.1:*:*:*:*:*:*:*

OR cpe:/a:asterisk:asterisk:1.4.2:*:*:*:*:*:*:*

OR cpe:/a:asterisk:asterisk:1.4_beta:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20072297	V	CVE-2007-2297	2015-11-16
oval:org.mitre.oval:def:18250	P	DSA-1358-1 asterisk	2014-06-23
oval:org.debian:def:1358	V	several vulnerabilities	2007-08-26

BACK