Vulnerability Name:

CVE-2008-2119 (CCN-42823)

Assigned:2008-06-03
Published:2008-06-03
Updated:2018-10-11
Summary:Asterisk Open Source 1.0.x and 1.2.x before 1.2.29 and Business Edition A.x.x and B.x.x before B.2.5.3, when pedantic parsing (aka pedanticsipchecking) is enabled, allows remote attackers to cause a denial of service (daemon crash) via a SIP INVITE message that lacks a From header, related to invocations of the ast_uri_decode function, and improper handling of (1) an empty const string and (2) a NULL pointer.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)
3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-20
Vulnerability Consequences:Denial of Service
References:Source: CONFIRM
Type: UNKNOWN
http://bugs.digium.com/view.php?id=12607

Source: MITRE
Type: CNA
CVE-2008-2119

Source: CCN
Type: AST-2008-008
Remote Crash Vulnerability in SIP channel driver when run in pedantic mode

Source: CONFIRM
Type: UNKNOWN
http://downloads.digium.com/pub/security/AST-2008-008.html

Source: CCN
Type: SA30517
Asterisk "pedantic" SIP Processing Denial of Service

Source: SECUNIA
Type: UNKNOWN
30517

Source: SECUNIA
Type: UNKNOWN
34982

Source: GENTOO
Type: UNKNOWN
GLSA-200905-01

Source: CCN
Type: SECTRACK ID: 1020166
Asterisk Pedantic Mode Bug in ast_uri_decode() Lets Remote Users Deny Service

Source: CONFIRM
Type: UNKNOWN
http://svn.digium.com/view/asterisk?view=rev&revision=120109

Source: CCN
Type: GLSA-200905-01
Asterisk: Multiple vulnerabilities

Source: CCN
Type: OSVDB ID: 46014
Asterisk Pedantic Parsing SIP INVITE Message Handling Remote DoS

Source: BUGTRAQ
Type: UNKNOWN
20080603 AST-2008-008: Remote Crash Vulnerability in SIP channel driver when run in pedantic mode

Source: SECTRACK
Type: UNKNOWN
1020166

Source: VUPEN
Type: UNKNOWN
ADV-2008-1731

Source: XF
Type: UNKNOWN
asterisk-asturidecode-dos(42823)

Source: XF
Type: UNKNOWN
asterisk-asturidecode-dos(42823)

Source: EXPLOIT-DB
Type: UNKNOWN
5749

Vulnerable Configuration:Configuration 1:
  • cpe:/a:asterisk:asterisk_business_edition:b.1.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:asterisk_business_edition:b.1.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:asterisk_business_edition:b.2.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:asterisk_business_edition:b.2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:asterisk_business_edition:b.2.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:asterisk_business_edition:b.2.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:asterisk_business_edition:b.2.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:asterisk_business_edition:b.2.3.4:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:asterisk_business_edition:b.2.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:asterisk_business_edition:b2.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:asterisk_business_edition:*:*:*:*:*:*:*:* (Version <= b2.5.2)
  • OR cpe:/a:asterisk:open_source:1.0:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.0.8:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.0.9:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.0.11:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.0.11.1:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.0.12:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.2.0beta1:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.2.0beta2:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.2.10:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.2.11:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.2.12:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.2.12.1:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.2.13:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.2.14:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.2.15:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.2.16:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.2.17:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.2.18:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.2.19:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.2.20:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.2.21:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.2.21.1:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.2.22:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.2.23:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.2.24:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.2.25:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.2.26:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.2.26.1:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.2.26.2:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:1.2.27:*:*:*:*:*:*:*
  • OR cpe:/a:asterisk:open_source:*:*:*:*:*:*:*:* (Version <= 1.2.28)

    • Configuration CCN 1:
  • cpe:/a:digium:asterisk:b.2.5.1:-:business:*:*:*:*:*
  • OR cpe:/a:digium:asterisk:a:-:business:*:*:*:*:*
  • OR cpe:/a:digium:asterisk:b.1.3.2:-:business:*:*:*:*:*
  • OR cpe:/a:digium:asterisk:b.1.3.3:-:business:*:*:*:*:*
  • OR cpe:/a:digium:asterisk:b.2.2.0:-:business:*:*:*:*:*
  • OR cpe:/a:digium:asterisk:b.2.2.1:-:business:*:*:*:*:*
  • OR cpe:/a:digium:asterisk:b.2.3.1:-:business:*:*:*:*:*
  • OR cpe:/a:digium:asterisk:b.2.3.2:-:business:*:*:*:*:*
  • OR cpe:/a:digium:asterisk:b.2.3.3:-:business:*:*:*:*:*
  • OR cpe:/a:digium:asterisk:b.2.3.4:-:business:*:*:*:*:*
  • OR cpe:/a:digium:asterisk:b.2.5.0:-:business:*:*:*:*:*
  • AND
  • cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20082119
    V
    		CVE-2008-2119
    2012-07-03
    BACK
    asterisk asterisk business edition b.1.3.2
    asterisk asterisk business edition b.1.3.3
    asterisk asterisk business edition b.2.2.0
    asterisk asterisk business edition b.2.2.1
    asterisk asterisk business edition b.2.3.1
    asterisk asterisk business edition b.2.3.2
    asterisk asterisk business edition b.2.3.3
    asterisk asterisk business edition b.2.3.4
    asterisk asterisk business edition b.2.5.0
    asterisk asterisk business edition b2.5.1
    asterisk asterisk business edition *
    asterisk open source 1.0
    asterisk open source 1.0.0
    asterisk open source 1.0.1
    asterisk open source 1.0.2
    asterisk open source 1.0.3
    asterisk open source 1.0.4
    asterisk open source 1.0.5
    asterisk open source 1.0.6
    asterisk open source 1.0.7
    asterisk open source 1.0.8
    asterisk open source 1.0.9
    asterisk open source 1.0.11
    asterisk open source 1.0.11.1
    asterisk open source 1.0.12
    asterisk open source 1.2.0
    asterisk open source 1.2.0beta1
    asterisk open source 1.2.0beta2
    asterisk open source 1.2.1
    asterisk open source 1.2.2
    asterisk open source 1.2.10
    asterisk open source 1.2.11
    asterisk open source 1.2.12
    asterisk open source 1.2.12.1
    asterisk open source 1.2.13
    asterisk open source 1.2.14
    asterisk open source 1.2.15
    asterisk open source 1.2.16
    asterisk open source 1.2.17
    asterisk open source 1.2.18
    asterisk open source 1.2.19
    asterisk open source 1.2.20
    asterisk open source 1.2.21
    asterisk open source 1.2.21.1
    asterisk open source 1.2.22
    asterisk open source 1.2.23
    asterisk open source 1.2.24
    asterisk open source 1.2.25
    asterisk open source 1.2.26
    asterisk open source 1.2.26.1
    asterisk open source 1.2.26.2
    asterisk open source 1.2.27
    asterisk open source *
    digium asterisk b.2.5.1 -
    digium asterisk a -
    digium asterisk b.1.3.2 -
    digium asterisk b.1.3.3 -
    digium asterisk b.2.2.0 -
    digium asterisk b.2.2.1 -
    digium asterisk b.2.3.1 -
    digium asterisk b.2.3.2 -
    digium asterisk b.2.3.3 -
    digium asterisk b.2.3.4 -
    digium asterisk b.2.5.0 -
    gentoo linux *