FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

asterisk -- multiple vulnerabilities

Affected packages
asterisk11 < 11.10.1
asterisk18 < 1.8.28.1

Details

VuXML ID f109b02f-f5a4-11e3-82e9-00a098b18457
Discovery 2014-06-12
Entry 2014-06-17

The Asterisk project reports:

Asterisk Manager User Unauthorized Shell Access. Manager users can execute arbitrary shell commands with the MixMonitor manager action. Asterisk does not require system class authorization for a manager user to use the MixMonitor action, so any manager user who is permitted to use manager commands can potentially execute shell commands as the user executing the Asterisk process.

Exhaustion of Allowed Concurrent HTTP Connections. Establishing a TCP or TLS connection to the configured HTTP or HTTPS port respectively in http.conf and then not sending or completing a HTTP request will tie up a HTTP session. By doing this repeatedly until the maximum number of open HTTP sessions is reached, legitimate requests are blocked.

References

CVE Name CVE-2014-4046
CVE Name CVE-2014-4047
URL http://downloads.asterisk.org/pub/security/AST-2014-006.pdf
URL http://downloads.asterisk.org/pub/security/AST-2014-007.pdf
URL https://www.asterisk.org/security