Sign-up

ID

VAR-201806-0745


CVE

CVE-2018-12228


TITLE

Asterisk Open Source Authentication vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-006656

DESCRIPTION

An issue was discovered in Asterisk Open Source 15.x before 15.4.1. When connected to Asterisk via TCP/TLS, if the client abruptly disconnects, or sends a specially crafted message, then Asterisk gets caught in an infinite loop while trying to read the data stream. This renders the system unusable. Asterisk Open Source Contains an authentication vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. DigiumAsteriskOpenSource is an open source telephone exchange (PBX) system software from Digium, USA. The software supports voicemail, multi-party voice conferencing, interactive voice response (IVR) and more. A security vulnerability exists in the 15.x version prior to DigiumAsteriskOpenSource 15.4.1. Attackers can exploit this issue to crash the application, resulting in a denial-of-service condition

Trust: 2.43

sources: NVD: CVE-2018-12228 // JVNDB: JVNDB-2018-006656 // CNVD: CNVD-2018-12156 // BID: 104457

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2018-12156

AFFECTED PRODUCTS

vendor:sangomamodel:asteriskscope:ltversion:15.4.1

Trust: 1.0

vendor:sangomamodel:asteriskscope:gteversion:15.0

Trust: 1.0

vendor:asteriskmodel:open sourcescope:ltversion:15.x

Trust: 0.8

vendor:asteriskmodel:open sourcescope:eqversion:15.4.1

Trust: 0.8

vendor:digiummodel:asterisk open sourcescope:eqversion:15.*<15.4.1

Trust: 0.6

vendor:asteriskmodel:open sourcescope:eqversion:15.2.2

Trust: 0.3

vendor:asteriskmodel:open sourcescope:eqversion:15.2.1

Trust: 0.3

vendor:asteriskmodel:open sourcescope:eqversion:15.2

Trust: 0.3

vendor:asteriskmodel:open sourcescope:eqversion:15.1.4

Trust: 0.3

vendor:asteriskmodel:open sourcescope:eqversion:15.1.3

Trust: 0.3

vendor:asteriskmodel:open sourcescope:eqversion:15.1.1

Trust: 0.3

vendor:asteriskmodel:open sourcescope:eqversion:15.1

Trust: 0.3

vendor:asteriskmodel:open sourcescope:eqversion:15.1.5

Trust: 0.3

vendor:asteriskmodel:open sourcescope:eqversion:15.1.2

Trust: 0.3

vendor:asteriskmodel:open sourcescope:neversion:15.4.1

Trust: 0.3

sources: CNVD: CNVD-2018-12156 // BID: 104457 // JVNDB: JVNDB-2018-006656 // NVD: CVE-2018-12228

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-12228
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-12228
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2018-12156
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201806-749
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2018-12228
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:L/AU:S/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-12156
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2018-12228
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2018-12156 // JVNDB: JVNDB-2018-006656 // CNNVD: CNNVD-201806-749 // NVD: CVE-2018-12228

PROBLEMTYPE DATA

problemtype:CWE-835

Trust: 1.0

problemtype:CWE-287

Trust: 0.8

sources: JVNDB: JVNDB-2018-006656 // NVD: CVE-2018-12228

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201806-749

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201806-749

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-006656

PATCH
title:AST-2018-007url:http://downloads.asterisk.org/pub/security/AST-2018-007.html
Trust: 0.8
title:ASTERISK-27807url:https://issues.asterisk.org/jira/browse/ASTERISK-27807
Trust: 0.8
title:Patch for DigiumAsteriskOpenSource Remote Authentication Session Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/132899
Trust: 0.6
title:Digium Asterisk Open Source Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=80913
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2018-12156 // 
            
            
            
            JVNDB: JVNDB-2018-006656 // 
            
            
            
            CNNVD: CNNVD-201806-749

EXTERNAL IDS
db:NVDid:CVE-2018-12228
Trust: 3.3
db:BIDid:104457
Trust: 2.5
db:JVNDBid:JVNDB-2018-006656
Trust: 0.8
db:CNVDid:CNVD-2018-12156
Trust: 0.6
db:CNNVDid:CNNVD-201806-749
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2018-12156 // 
            
            
            
            BID: 104457 // 
            
            
            
            JVNDB: JVNDB-2018-006656 // 
            
            
            
            CNNVD: CNNVD-201806-749 // 
            
            
            
            NVD: CVE-2018-12228

REFERENCES
url:http://downloads.asterisk.org/pub/security/ast-2018-007.html
Trust: 2.5
url:https://issues.asterisk.org/jira/browse/asterisk-27807
Trust: 1.9
url:http://www.securityfocus.com/bid/104457
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-12228
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-12228
Trust: 0.8
url:http://www.asterisk.org/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2018-12156 // 
            
            
            
            BID: 104457 // 
            
            
            
            JVNDB: JVNDB-2018-006656 // 
            
            
            
            CNNVD: CNNVD-201806-749 // 
            
            
            
            NVD: CVE-2018-12228

CREDITS
Sean Bright
Trust: 0.3
sources:
            
            
            BID: 104457

SOURCES
db:CNVDid:CNVD-2018-12156
db:BIDid:104457
db:JVNDBid:JVNDB-2018-006656
db:CNNVDid:CNNVD-201806-749
db:NVDid:CVE-2018-12228

LAST UPDATE DATE
2024-11-23T22:00:29.507000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-12156date:2018-06-27T00:00:00
db:BIDid:104457date:2018-06-11T00:00:00
db:JVNDBid:JVNDB-2018-006656date:2018-08-28T00:00:00
db:CNNVDid:CNNVD-201806-749date:2019-10-23T00:00:00
db:NVDid:CVE-2018-12228date:2024-11-21T03:44:49.210

SOURCES RELEASE DATE
db:CNVDid:CNVD-2018-12156date:2018-06-27T00:00:00
db:BIDid:104457date:2018-06-11T00:00:00
db:JVNDBid:JVNDB-2018-006656date:2018-08-28T00:00:00
db:CNNVDid:CNNVD-201806-749date:2018-06-13T00:00:00
db:NVDid:CVE-2018-12228date:2018-06-12T04:29:00.330