CVE-2008-2543

Current Description

The ooh323 channel driver in Asterisk Addons 1.2.x before 1.2.9 and Asterisk-Addons 1.4.x before 1.4.7 creates a remotely accessible TCP port that is intended solely for localhost communication, and interprets some TCP application-data fields as addresses of memory to free, which allows remote attackers to cause a denial of service (daemon crash) via crafted TCP packets.

Basic Data

PublishedJune 05, 2008
Last ModifiedOctober 15, 2018
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-399
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactNONE
CVSS 2 - Availability ImpactPARTIAL
CVSS 2 - Base Score5.0
SeverityMEDIUM
Exploitability Score10.0
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationAsteriskAsterisk-addons1.2.0*******
    2.3ApplicationAsteriskAsterisk-addons1.2.1*******
    2.3ApplicationAsteriskAsterisk-addons1.2.2*******
    2.3ApplicationAsteriskAsterisk-addons1.2.3*******
    2.3ApplicationAsteriskAsterisk-addons1.2.4*******
    2.3ApplicationAsteriskAsterisk-addons1.2.5*******
    2.3ApplicationAsteriskAsterisk-addons1.2.6*******
    2.3ApplicationAsteriskAsterisk-addons1.2.7*******
    2.3ApplicationAsteriskAsterisk-addons1.2.8*******
    2.3ApplicationAsteriskAsterisk-addons1.4.0*******
    2.3ApplicationAsteriskAsterisk-addons1.4.1*******
    2.3ApplicationAsteriskAsterisk-addons1.4.2*******
    2.3ApplicationAsteriskAsterisk-addons1.4.3*******
    2.3ApplicationAsteriskAsterisk-addons1.4.4*******
    2.3ApplicationAsteriskAsterisk-addons1.4.5*******
    2.3ApplicationAsteriskAsterisk-addons1.4.6*******

Vulnerable Software List

VendorProductVersions
Asterisk Asterisk-addons 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6

References

NameSourceURLTags
http://downloads.digium.com/pub/security/AST-2008-009.htmlhttp://downloads.digium.com/pub/security/AST-2008-009.htmlCONFIRM
30555http://secunia.com/advisories/30555SECUNIA
1020202http://securitytracker.com/id?1020202SECTRACK
20080604 AST-2008-009: AST-2008-007 Cryptographic keys generated by OpenSSL on Debian-based systems compromisedhttp://www.securityfocus.com/archive/1/493122/100/0/threadedBUGTRAQ
20080604 AST-2008-009: (Corrected subject) Remote crash vulnerability in ooh323 channel driverhttp://www.securityfocus.com/archive/1/493144/100/0/threadedBUGTRAQ
29567http://www.securityfocus.com/bid/29567BID
ADV-2008-1747http://www.vupen.com/english/advisories/2008/1747/referencesVUPEN
asterisk-addons-ooh323-dos(42869)https://exchange.xforce.ibmcloud.com/vulnerabilities/42869XF