CVE-2013-5641: Buffer Overflow
First published: Mon Sep 09 2013(Updated: )
The SIP channel driver (channels/chan_sip.c) in Asterisk Open Source 1.8.17.x through 1.8.22.x, 1.8.23.x before 1.8.23.1, and 11.x before 11.5.1 and Certified Asterisk 1.8.15 before 1.8.15-cert3 and 11.2 before 11.2-cert2 allows remote attackers to cause a denial of service (NULL pointer dereference, segmentation fault, and daemon crash) via an ACK with SDP to a previously terminated channel. NOTE: some of these details are obtained from third party information.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Asterisk | =1.8.17.0 | |
| Asterisk | =1.8.17.0-rc1 | |
| Asterisk | =1.8.17.0-rc2 | |
| Asterisk | =1.8.17.0-rc3 | |
| Asterisk | =1.8.18.0 | |
| Asterisk | =1.8.18.0-rc1 | |
| Asterisk | =1.8.18.1 | |
| Asterisk | =1.8.19.0 | |
| Asterisk | =1.8.19.0-rc1 | |
| Asterisk | =1.8.19.0-rc3 | |
| Asterisk | =1.8.19.1 | |
| Asterisk | =1.8.20.0 | |
| Asterisk | =1.8.20.0-rc1 | |
| Asterisk | =1.8.20.0-rc2 | |
| Asterisk | =1.8.21.0-rc1 | |
| Asterisk | =1.8.21.0-rc2 | |
| Asterisk | =1.8.22.0 | |
| Asterisk | =1.8.22.0-rc1 | |
| Asterisk | =1.8.22.0-rc2 | |
| Asterisk | =1.8.23.0 | |
| Asterisk | =1.8.23.0-rc1 | |
| Asterisk | =1.8.23.0-rc2 | |
| Asterisk | =11.0.0 | |
| Asterisk | =11.0.0-beta1 | |
| Asterisk | =11.0.0-beta2 | |
| Asterisk | =11.0.0-rc1 | |
| Asterisk | =11.0.0-rc2 | |
| Asterisk | =11.0.1 | |
| Asterisk | =11.0.2 | |
| Asterisk | =11.1.0 | |
| Asterisk | =11.1.0-rc1 | |
| Asterisk | =11.1.0-rc3 | |
| Asterisk | =11.1.1 | |
| Asterisk | =11.1.2 | |
| Asterisk | =11.2.0-rc1 | |
| Asterisk | =11.2.0-rc2 | |
| Asterisk | =11.3.0-rc1 | |
| Asterisk | =11.3.0-rc2 | |
| Asterisk | =11.4.0 | |
| Asterisk | =11.4.0-rc1 | |
| Asterisk | =11.4.0-rc2 | |
| Asterisk | =11.4.0-rc3 | |
| Asterisk | =11.5.0 | |
| Asterisk | =11.5.0-rc1 | |
| Asterisk | =11.5.0-rc2 | |
| Asterisk | =11.5.1 | |
| Digium Asterisk Appliance Developer Kit | =1.8.15 | |
| Digium Asterisk Appliance Developer Kit | =1.8.15-cert1 | |
| Digium Asterisk Appliance Developer Kit | =1.8.15-cert1-rc1 | |
| Digium Asterisk Appliance Developer Kit | =1.8.15-cert1-rc2 | |
| Digium Asterisk Appliance Developer Kit | =1.8.15-cert1-rc3 | |
| Digium Asterisk Appliance Developer Kit | =1.8.15-cert2 | |
| Digium Asterisk Appliance Developer Kit | =1.8.15-rc1 | |
| Digium Asterisk Appliance Developer Kit | =11.2.0 | |
| Digium Asterisk Appliance Developer Kit | =11.2.0-cert1 | |
| Digium Asterisk Appliance Developer Kit | =11.2.0-rc1 | |
| Digium Asterisk Appliance Developer Kit | =11.2.0-rc2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://archives.neohapsis.com/archives/bugtraq/2013-08/0175.html
- http://downloads.asterisk.org/pub/security/AST-2013-004.html
- http://osvdb.org/96691
- http://seclists.org/bugtraq/2013/Aug/185
- http://secunia.com/advisories/54534
- http://secunia.com/advisories/54617
- http://www.debian.org/security/2013/dsa-2749
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:223
- http://www.securityfocus.com/bid/62021
- http://www.securitytracker.com/id/1028956
- https://issues.asterisk.org/jira/browse/ASTERISK-21064
Frequently Asked Questions
What is the severity of CVE-2013-5641?
CVE-2013-5641 has been classified as a high severity vulnerability due to its potential to cause denial of service.
How do I fix CVE-2013-5641?
To fix CVE-2013-5641, you should upgrade to Asterisk versions 1.8.23.1, 11.5.1, or higher.
What kind of attacks can exploit CVE-2013-5641?
CVE-2013-5641 can be exploited by remote attackers to trigger a NULL pointer dereference leading to a denial of service.
Which versions of Asterisk are affected by CVE-2013-5641?
Asterisk versions 1.8.17.x through 1.8.22.x, and 11.x before 11.5.1 are affected by CVE-2013-5641.
Is there a workaround for CVE-2013-5641 if upgrading is not immediately possible?
Currently, there are no specific workarounds for CVE-2013-5641, so it is highly recommended to apply the patch as soon as possible.
- agent/weakness
- agent/type
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/last-modified-date
- agent/references
- agent/description
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/digium
- canonical/asterisk
- version/asterisk/1.8.17.0
- version/asterisk/1.8.17.0-rc1
- version/asterisk/1.8.17.0-rc2
- version/asterisk/1.8.17.0-rc3
- version/asterisk/1.8.18.0
- version/asterisk/1.8.18.0-rc1
- version/asterisk/1.8.18.1
- version/asterisk/1.8.19.0
- version/asterisk/1.8.19.0-rc1
- version/asterisk/1.8.19.0-rc3
- version/asterisk/1.8.19.1
- version/asterisk/1.8.20.0
- version/asterisk/1.8.20.0-rc1
- version/asterisk/1.8.20.0-rc2
- version/asterisk/1.8.21.0-rc1
- version/asterisk/1.8.21.0-rc2
- version/asterisk/1.8.22.0
- version/asterisk/1.8.22.0-rc1
- version/asterisk/1.8.22.0-rc2
- version/asterisk/1.8.23.0
- version/asterisk/1.8.23.0-rc1
- version/asterisk/1.8.23.0-rc2
- version/asterisk/11.0.0
- version/asterisk/11.0.0-beta1
- version/asterisk/11.0.0-beta2
- version/asterisk/11.0.0-rc1
- version/asterisk/11.0.0-rc2
- version/asterisk/11.0.1
- version/asterisk/11.0.2
- version/asterisk/11.1.0
- version/asterisk/11.1.0-rc1
- version/asterisk/11.1.0-rc3
- version/asterisk/11.1.1
- version/asterisk/11.1.2
- version/asterisk/11.2.0-rc1
- version/asterisk/11.2.0-rc2
- version/asterisk/11.3.0-rc1
- version/asterisk/11.3.0-rc2
- version/asterisk/11.4.0
- version/asterisk/11.4.0-rc1
- version/asterisk/11.4.0-rc2
- version/asterisk/11.4.0-rc3
- version/asterisk/11.5.0
- version/asterisk/11.5.0-rc1
- version/asterisk/11.5.0-rc2
- version/asterisk/11.5.1
- canonical/digium asterisk appliance developer kit
- version/digium asterisk appliance developer kit/1.8.15
- version/digium asterisk appliance developer kit/1.8.15-cert1
- version/digium asterisk appliance developer kit/1.8.15-cert1-rc1
- version/digium asterisk appliance developer kit/1.8.15-cert1-rc2
- version/digium asterisk appliance developer kit/1.8.15-cert1-rc3
- version/digium asterisk appliance developer kit/1.8.15-cert2
- version/digium asterisk appliance developer kit/1.8.15-rc1
- version/digium asterisk appliance developer kit/11.2.0
- version/digium asterisk appliance developer kit/11.2.0-cert1
- version/digium asterisk appliance developer kit/11.2.0-rc1
- version/digium asterisk appliance developer kit/11.2.0-rc2