Vulnerability CVE-2008-1332 - CERT Civis.Net

Vulnerability Name:

CVE-2008-1332 (CCN-41308)

Assigned:

2008-03-18

Published:

2008-03-18

Updated:

2018-10-11

Summary:

Unspecified vulnerability in Asterisk Open Source 1.2.x before 1.2.27, 1.4.x before 1.4.18.1 and 1.4.19-rc3; Business Edition A.x.x, B.x.x before B.2.5.1, and C.x.x before C.1.6.2; AsteriskNOW 1.0.x before 1.0.2; Appliance Developer Kit before 1.4 revision 109393; and s800i 1.0.x before 1.1.0.2; allows remote attackers to access the SIP channel driver via a crafted From header.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

8.8 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:N)
6.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2008-1332

Source: CCN
Type: AST-2008-003
Unauthenticated calls allowed from SIP channel driver

Source: CONFIRM
Type: Patch
http://downloads.digium.com/pub/security/AST-2008-003.html

Source: SUSE
Type: UNKNOWN
SUSE-SR:2008:010

Source: CCN
Type: SA29426
Asterisk Multiple Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
29426

Source: SECUNIA
Type: Vendor Advisory
29456

Source: SECUNIA
Type: Vendor Advisory
29470

Source: SECUNIA
Type: Vendor Advisory
29782

Source: SECUNIA
Type: Vendor Advisory
29957

Source: GENTOO
Type: UNKNOWN
GLSA-200804-13

Source: CCN
Type: SECTRACK ID: 1019629
Asterisk SIP Channel Driver Lets Remote Users Make Unauthenticated Calls

Source: SECTRACK
Type: UNKNOWN
1019629

Source: CONFIRM
Type: UNKNOWN
http://www.asterisk.org/node/48466

Source: DEBIAN
Type: UNKNOWN
DSA-1525

Source: DEBIAN
Type: DSA-1525
asterisk -- several vulnerabilities

Source: CCN
Type: GLSA-200804-13
Asterisk: Multiple vulnerabilities

Source: CCN
Type: OSVDB ID: 43415
Asterisk SIP Channel Driver Unauthenticated Call Remote Privilege Escalation

Source: BUGTRAQ
Type: UNKNOWN
20080318 AST-2008-003: Unauthenticated calls allowed from SIP channel driver

Source: BID
Type: UNKNOWN
28310

Source: CCN
Type: BID-28310
Asterisk Call Authentication Security Bypass Vulnerability

Source: VUPEN
Type: UNKNOWN
ADV-2008-0928

Source: XF
Type: UNKNOWN
asterisk-sip-security-bypass(41308)

Source: XF
Type: UNKNOWN
asterisk-sip-security-bypass(41308)

Source: FEDORA
Type: UNKNOWN
FEDORA-2008-2554

Source: FEDORA
Type: UNKNOWN
FEDORA-2008-2620

Source: SUSE
Type: SUSE-SR:2008:010
SUSE Security Summary Report

Vulnerable Configuration:

Configuration 1:

cpe:/a:asterisk:asterisk:a:*:business:*:*:*:*:*

OR cpe:/a:asterisk:asterisk:b.1.3.2:*:business:*:*:*:*:*

OR cpe:/a:asterisk:asterisk:b.1.3.3:*:business:*:*:*:*:*

OR cpe:/a:asterisk:asterisk:b.2.2.0:*:business:*:*:*:*:*

OR cpe:/a:asterisk:asterisk:b.2.2.1:*:business:*:*:*:*:*

OR cpe:/a:asterisk:asterisk:b.2.3.1:*:business:*:*:*:*:*

OR cpe:/a:asterisk:asterisk:b.2.3.2:*:business:*:*:*:*:*

OR cpe:/a:asterisk:asterisk:b.2.3.3:*:business:*:*:*:*:*

OR cpe:/a:asterisk:asterisk:b.2.3.4:*:business:*:*:*:*:*

OR cpe:/a:asterisk:asterisk:b.2.3.5:*:business:*:*:*:*:*

OR cpe:/a:asterisk:asterisk:b.2.3.6:*:business:*:*:*:*:*

OR cpe:/a:asterisk:asterisk:c.1.0_beta7:*:business:*:*:*:*:*

OR cpe:/a:asterisk:asterisk:c.1.0_beta8:*:business:*:*:*:*:*

OR cpe:/a:asterisk:asterisk:c.1.6:*:business:*:*:*:*:*

OR cpe:/a:asterisk:asterisk:c.1.6.1:*:business:*:*:*:*:*

OR cpe:/a:asterisk:asterisk_appliance_developer_kit:0.2:*:*:*:*:*:*:*

OR cpe:/a:asterisk:asterisk_appliance_developer_kit:0.3:*:*:*:*:*:*:*

OR cpe:/a:asterisk:asterisk_appliance_developer_kit:0.4:*:*:*:*:*:*:*

OR cpe:/a:asterisk:asterisk_appliance_developer_kit:0.5:*:*:*:*:*:*:*

OR cpe:/a:asterisk:asterisk_appliance_developer_kit:0.6:*:*:*:*:*:*:*

OR cpe:/a:asterisk:asterisk_appliance_developer_kit:0.6.0:*:*:*:*:*:*:*

OR cpe:/a:asterisk:asterisk_appliance_developer_kit:0.7:*:*:*:*:*:*:*

OR cpe:/a:asterisk:asterisk_appliance_developer_kit:0.8:*:*:*:*:*:*:*

OR cpe:/a:asterisk:asterisk_appliance_developer_kit:1.3:*:*:*:*:*:*:*

OR cpe:/a:asterisk:asterisk_appliance_developer_kit:*:*:*:*:*:*:*:* (Version <= 1.4)

OR cpe:/a:asterisk:asterisk_business_edition:*:*:*:*:*:*:*:* (Version <= a)

OR cpe:/a:asterisk:asterisk_business_edition:*:*:*:*:*:*:*:* (Version <= b.2.5.0)

OR cpe:/a:asterisk:asterisk_business_edition:*:*:*:*:*:*:*:* (Version <= c.1.6.1)

OR cpe:/a:asterisk:asterisknow:1.0:*:*:*:*:*:*:*

OR cpe:/a:asterisk:asterisknow:*:*:*:*:*:*:*:* (Version <= 1.0.1)

OR cpe:/a:asterisk:open_source:1.0:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.0.0:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.0.1:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.0.2:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.0.3:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.0.3.4:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.0.4:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.0.5:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.0.6:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.0.7:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.0.8:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.0.9:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.0.11:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.0.11.1:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.0.12:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.0:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.0:beta1:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.0:beta2:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.0:rc1:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.0beta2:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.1:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.2:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.3:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.4:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.5:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.6:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.7:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.7.1:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.8:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.9:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.9.1:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.10:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.11:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.12:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.12.1:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.13:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.14:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.15:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.16:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.17:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.18:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.19:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.20:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.21:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.21.1:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.22:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.23:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.24:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.25:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:*:*:*:*:*:*:*:* (Version <= 1.2.26)

OR cpe:/a:asterisk:open_source:1.2.26.1:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.2.26.2:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.4.0:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.4.0:beta2:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.4.0:beta3:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.4.0:beta4:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.4.1:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.4.10:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.4.10.1:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.4.11:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.4.12:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.4.12.1:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.4.13:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.4.14:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.4.15:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.4.16:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.4.16.1:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:1.4.16.2:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:*:*:*:*:*:*:*:* (Version <= 1.4.17)

OR cpe:/a:asterisk:open_source:1.4.18:*:*:*:*:*:*:*

OR cpe:/a:asterisk:open_source:*:rc-2:*:*:*:*:*:* (Version <= 1.4.19)

OR cpe:/a:asterisk:open_source:1.4.19:rc3:*:*:*:*:*:*

OR cpe:/a:asterisk:s800i:1.0:*:*:*:*:*:*:*

OR cpe:/a:asterisk:s800i:1.0.1:*:*:*:*:*:*:*

OR cpe:/a:asterisk:s800i:1.0.2:*:*:*:*:*:*:*

OR cpe:/a:asterisk:s800i:1.0.3:*:*:*:*:*:*:*

OR cpe:/a:asterisk:s800i:1.0.3.3:*:*:*:*:*:*:*

OR cpe:/a:asterisk:s800i:1.1.0:*:*:*:*:*:*:*

OR cpe:/a:asterisk:s800i:*:*:*:*:*:*:*:* (Version <= 1.1.0.1)

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20081332	V	CVE-2008-1332	2015-11-16
oval:org.mitre.oval:def:8002	P	DSA-1525 asterisk -- several vulnerabilities	2015-02-23
oval:org.mitre.oval:def:17968	P	DSA-1525-1 asterisk	2014-06-23
oval:org.debian:def:1525	V	several vulnerabilities	2008-03-20