Vulnerability CVE-2007-4103 - CERT Civis.Net

Vulnerability Name:

CVE-2007-4103 (CCN-35682)

Assigned:

2007-07-23

Published:

2007-07-23

Updated:

2018-10-15

Summary:

The IAX2 channel driver (chan_iax2) in Asterisk Open 1.2.x before 1.2.23, 1.4.x before 1.4.9, and Asterisk Appliance Developer Kit before 0.6.0, when configured to allow unauthenticated calls, allows remote attackers to cause a denial of service (resource exhaustion) via a flood of calls that do not complete a 3-way handshake, which causes an ast_channel to be allocated but not released.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

7.8 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
5.8 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

Vulnerability Consequences:

Denial of Service

References:

Source: CONFIRM
Type: UNKNOWN
http://bugs.gentoo.org/show_bug.cgi?id=185713

Source: MITRE
Type: CNA
CVE-2007-4103

Source: CCN
Type: ASA-2007-018
Resource Exhaustion vulnerability in IAX2 channel driver

Source: CONFIRM
Type: Patch
http://ftp.digium.com/pub/asa/ASA-2007-018.pdf

Source: OSVDB
Type: UNKNOWN
38197

Source: CCN
Type: SA26274
Asterisk IAX2 Channel Driver Denial of Service

Source: SECUNIA
Type: Patch, Vendor Advisory
26274

Source: SECUNIA
Type: UNKNOWN
29051

Source: GENTOO
Type: UNKNOWN
GLSA-200802-11

Source: SREASON
Type: UNKNOWN
2960

Source: CCN
Type: SECTRACK ID: 1018472
Asterisk IAX2 Channel Driver Resource Consumption Bug Lets Remote Users Deny Service

Source: CCN
Type: Asterisk Web site
Asterisk :: The Open Source Telephony Platform |

Source: CCN
Type: GLSA-200802-11
Asterisk: Multiple vulnerabilities

Source: CCN
Type: OSVDB ID: 38197
Asterisk IAX2 Channel Driver (chan_iax2) Incomplete Connection Saturation Remote DoS

Source: BUGTRAQ
Type: UNKNOWN
20070729 ASA-2007-018: Resource exhaustion vulnerability in IAX2 channel driver

Source: BID
Type: UNKNOWN
24950

Source: CCN
Type: BID-24950
Asterisk Multiple Remote Denial of Service Vulnerabilities

Source: SECTRACK
Type: UNKNOWN
1018472

Source: VUPEN
Type: UNKNOWN
ADV-2007-2701

Source: XF
Type: UNKNOWN
asterisk-iax2channeldriver-new-dos(35682)

Vulnerable Configuration:

Configuration 1:

cpe:/a:digium:asterisk:1.2.20:*:*:*:*:*:*:*

OR cpe:/a:digium:asterisk:1.2.21:*:*:*:*:*:*:*

OR cpe:/a:digium:asterisk:1.2.21.1:*:*:*:*:*:*:*

OR cpe:/a:digium:asterisk:1.2.22:*:*:*:*:*:*:*

OR cpe:/a:digium:asterisk:1.4.5:*:*:*:*:*:*:*

OR cpe:/a:digium:asterisk:1.4.7:*:*:*:*:*:*:*

OR cpe:/a:digium:asterisk:1.4.7.1:*:*:*:*:*:*:*

OR cpe:/a:digium:asterisk:1.4.8:*:*:*:*:*:*:*

OR cpe:/a:digium:asterisk_appliance_developer_kit:0.5.0:*:*:*:*:*:*:*

OR cpe:/a:digium:asterisknow_pre-release:beta6:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:digium:asterisk_appliance_developer_kit:0.5.0:*:*:*:*:*:*:*

AND

cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*

Denotes that component is vulnerable