CVE-2007-4103
First published: Tue Jul 31 2007(Updated: )
The IAX2 channel driver (chan_iax2) in Asterisk Open 1.2.x before 1.2.23, 1.4.x before 1.4.9, and Asterisk Appliance Developer Kit before 0.6.0, when configured to allow unauthenticated calls, allows remote attackers to cause a denial of service (resource exhaustion) via a flood of calls that do not complete a 3-way handshake, which causes an ast_channel to be allocated but not released.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Asterisk | >=1.2.20<1.2.23 | |
| Asterisk | >=1.4.0<1.4.9 | |
| digium Asterisk Appliance Developer Kit | <0.6.0 | |
| Asterisk | =1.2.20 | |
| Asterisk | =1.2.21 | |
| Asterisk | =1.2.21.1 | |
| Asterisk | =1.2.22 | |
| Asterisk | =1.4.5 | |
| Asterisk | =1.4.7 | |
| Asterisk | =1.4.7.1 | |
| Asterisk | =1.4.8 | |
| Digium Asterisk Appliance Developer Kit | =0.5.0 | |
| AsteriskNOW | =beta6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://ftp.digium.com/pub/asa/ASA-2007-018.pdf
- http://www.securitytracker.com/id?1018472
- http://secunia.com/advisories/26274
- http://www.securityfocus.com/bid/24950
- http://securityreason.com/securityalert/2960
- http://bugs.gentoo.org/show_bug.cgi?id=185713
- http://security.gentoo.org/glsa/glsa-200802-11.xml
- http://secunia.com/advisories/29051
- http://osvdb.org/38197
- http://www.vupen.com/english/advisories/2007/2701
- http://www.securityfocus.com/archive/1/475069/100/0/threaded
Frequently Asked Questions
What is the severity of CVE-2007-4103?
CVE-2007-4103 has a severity rating that indicates it can lead to a denial of service due to resource exhaustion.
How do I fix CVE-2007-4103?
To fix CVE-2007-4103, apply the appropriate patches or upgrade to a non-vulnerable version of Asterisk.
Which versions are affected by CVE-2007-4103?
CVE-2007-4103 affects Asterisk versions prior to 1.2.23 and 1.4.9, as well as versions of the Asterisk Appliance Developer Kit before 0.6.0.
What type of attack does CVE-2007-4103 allow?
CVE-2007-4103 allows remote attackers to flood the server with unauthenticated calls, causing a denial of service.
Is CVE-2007-4103 specific to a certain configuration in Asterisk?
Yes, CVE-2007-4103 specifically affects configurations of Asterisk that permit unauthenticated calls.
- agent/type
- agent/severity
- agent/references
- agent/author
- agent/remedy
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-historical
- vendor/digium
- canonical/asterisk
- version/asterisk/1.2.20
- version/asterisk/1.4.0
- canonical/digium asterisk appliance developer kit
- version/asterisk/1.2.21
- version/asterisk/1.2.21.1
- version/asterisk/1.2.22
- version/asterisk/1.4.5
- version/asterisk/1.4.7
- version/asterisk/1.4.7.1
- version/asterisk/1.4.8
- version/digium asterisk appliance developer kit/0.5.0
- canonical/asterisknow
- version/asterisknow/beta6