CVE-2008-1390
First published: Mon Mar 24 2008(Updated: )
The AsteriskGUI HTTP server in Asterisk Open Source 1.4.x before 1.4.19-rc3 and 1.6.x before 1.6.0-beta6, Business Edition C.x.x before C.1.6, AsteriskNOW before 1.0.2, Appliance Developer Kit before revision 104704, and s800i 1.0.x before 1.1.0.2 generates insufficiently random manager ID values, which makes it easier for remote attackers to hijack a manager session via a series of ID guesses.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Asterisk | =1.4.1 | |
| Asterisk | =1.4.2 | |
| Asterisk | =1.4.3 | |
| Asterisk | =1.4.4 | |
| Asterisk | =1.4.5 | |
| Asterisk | =1.4.6 | |
| Asterisk | =1.4.7 | |
| Asterisk | =1.4.8 | |
| Asterisk | =1.4.9 | |
| Asterisk | =1.4.10 | |
| Asterisk | =1.4.11 | |
| Asterisk | =1.4.12 | |
| Asterisk | =1.4.13 | |
| Asterisk | =1.4.14 | |
| Asterisk | =1.4.15 | |
| Asterisk | =1.4.16 | |
| Asterisk | =1.4.17 | |
| Asterisk | =1.4.18.1 | |
| Asterisk | =1.4_beta | |
| Asterisk | =1.4_revision_95946 | |
| Asterisk | =1.6 | |
| Digium Asterisk Appliance Developer Kit | =0.2 | |
| Digium Asterisk Appliance Developer Kit | =0.3 | |
| Digium Asterisk Appliance Developer Kit | =0.4 | |
| Digium Asterisk Appliance Developer Kit | =0.5 | |
| Digium Asterisk Appliance Developer Kit | =0.6 | |
| Digium Asterisk Appliance Developer Kit | =0.7 | |
| Digium Asterisk Appliance Developer Kit | =0.8 | |
| Digium Asterisk Appliance Developer Kit | =1.4 | |
| Asterisk Business Edition | =c.1.0-beta7 | |
| Asterisk Business Edition | =c.1.0-beta8 | |
| Digium AsteriskNOW | =1.0 | |
| Digium AsteriskNOW | =beta_5 | |
| Digium AsteriskNOW | =beta_6 | |
| Digium AsteriskNOW | =beta_7 | |
| Digium Asterisk s800i Appliance | =1.0 | |
| Digium Asterisk s800i Appliance | =1.0.1 | |
| Digium Asterisk s800i Appliance | =1.0.2 | |
| Digium Asterisk s800i Appliance | =1.0.3 | |
| Digium Asterisk s800i Appliance | =1.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://downloads.digium.com/pub/security/AST-2008-005.html
- http://www.securityfocus.com/bid/28316
- http://secunia.com/advisories/29449
- https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00438.html
- https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00514.html
- http://www.securitytracker.com/id?1019679
- http://secunia.com/advisories/29470
- http://securityreason.com/securityalert/3764
- https://exchange.xforce.ibmcloud.com/vulnerabilities/41304
- http://www.securityfocus.com/archive/1/489819/100/0/threaded
Frequently Asked Questions
What is the severity of CVE-2008-1390?
CVE-2008-1390 has a medium severity rating due to its impact on authentication security.
How do I fix CVE-2008-1390?
To fix CVE-2008-1390, upgrade Asterisk to version 1.4.19-rc3 or later for 1.4.x and 1.6.0-beta6 or later for 1.6.x.
What versions are affected by CVE-2008-1390?
CVE-2008-1390 affects Asterisk versions from 1.4.1 to 1.4.18.1, and 1.6.x beta versions prior to 1.6.0-beta6.
What is the nature of the vulnerability in CVE-2008-1390?
CVE-2008-1390 involves the generation of insufficiently random manager ID values in the AsteriskGUI HTTP server.
Is CVE-2008-1390 a remote exploit?
Yes, CVE-2008-1390 can potentially be exploited remotely due to its nature as a web-based vulnerability.
- agent/references
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/weakness
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-historical
- vendor/asterisk
- canonical/asterisk
- version/asterisk/1.4.1
- version/asterisk/1.4.2
- version/asterisk/1.4.3
- version/asterisk/1.4.4
- version/asterisk/1.4.5
- version/asterisk/1.4.6
- version/asterisk/1.4.7
- version/asterisk/1.4.8
- version/asterisk/1.4.9
- version/asterisk/1.4.10
- version/asterisk/1.4.11
- version/asterisk/1.4.12
- version/asterisk/1.4.13
- version/asterisk/1.4.14
- version/asterisk/1.4.15
- version/asterisk/1.4.16
- version/asterisk/1.4.17
- version/asterisk/1.4.18.1
- version/asterisk/1.4_beta
- version/asterisk/1.4_revision_95946
- version/asterisk/1.6
- canonical/digium asterisk appliance developer kit
- version/digium asterisk appliance developer kit/0.2
- version/digium asterisk appliance developer kit/0.3
- version/digium asterisk appliance developer kit/0.4
- version/digium asterisk appliance developer kit/0.5
- version/digium asterisk appliance developer kit/0.6
- version/digium asterisk appliance developer kit/0.7
- version/digium asterisk appliance developer kit/0.8
- version/digium asterisk appliance developer kit/1.4
- canonical/asterisk business edition
- version/asterisk business edition/c.1.0-beta7
- version/asterisk business edition/c.1.0-beta8
- canonical/digium asterisknow
- version/digium asterisknow/1.0
- version/digium asterisknow/beta_5
- version/digium asterisknow/beta_6
- version/digium asterisknow/beta_7
- canonical/digium asterisk s800i appliance
- version/digium asterisk s800i appliance/1.0
- version/digium asterisk s800i appliance/1.0.1
- version/digium asterisk s800i appliance/1.0.2
- version/digium asterisk s800i appliance/1.0.3
- version/digium asterisk s800i appliance/1.1.0