|
|
|
|
| |
Credit:
The information has been provided by Jeremy McNamara.
The original article can be found at: http://downloads.digium.com/pub/security/AST-2008-010.html
|
| |
Vulnerable Systems:
* Asterisk Open Source version 1.0.x
* Asterisk Open Source versions prior to 1.2.30
* Asterisk Open Source versions prior to 1.4.21.2
* Asterisk Business Edition version A.x.x
* Asterisk Business Edition versions prior to B.2.5.4
* Asterisk Business Edition versions prior to C.1.10.3
* AsteriskNOW pre-release
* Asterisk Appliance Developer Kit version 0.x.x
* s800i (Asterisk Appliance) versions prior to 1.2.0.1
Immune Systems:
* Asterisk Open Source version 1.2.30
* Asterisk Open Source version 1.4.21.2
* Asterisk Business Edition version B.2.5.4
* Asterisk Business Edition version C.1.10.3
* Asterisk Business Edition version C.2.0.3
* s800i (Asterisk Appliance) version 1.2.0.1
Resolution:
The implementation has been changed to no longer allocate an IAX2 call number for POKE requests. Instead, call number 1 has been reserved for all responses to POKE requests, and ACK packets referencing call number 1 will be silently dropped.
CVE Information:
CVE-2008-3263
|
|
|
|
|
|
|
