CVE-2018-12227: Infoleak
First published: Tue Jun 12 2018(Updated: )
An issue was discovered in Asterisk Open Source 13.x before 13.21.1, 14.x before 14.7.7, and 15.x before 15.4.1 and Certified Asterisk 13.18-cert before 13.18-cert4 and 13.21-cert before 13.21-cert2. When endpoint specific ACL rules block a SIP request, they respond with a 403 forbidden. However, if an endpoint is not identified, then a 401 unauthorized response is sent. This vulnerability just discloses which requests hit a defined endpoint. The ACL rules cannot be bypassed to gain access to the disclosed endpoints.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/asterisk | 1:16.2.1~dfsg-1+deb10u2 1:16.28.0~dfsg-0+deb10u3 1:16.28.0~dfsg-0+deb11u3 1:20.4.0~dfsg+~cs6.13.40431414-2 | |
| Digium Asterisk | >=13.0.0<13.21.1 | |
| Digium Asterisk | >14.0.0<14.7.7 | |
| Digium Asterisk | >=15.0.0<15.4.1 | |
| Digium Certified Asterisk | =13.18-cert1 | |
| Digium Certified Asterisk | =13.18-cert2 | |
| Digium Certified Asterisk | =13.18-cert3 | |
| Digium Certified Asterisk | =13.21-cert1 | |
| Debian Debian Linux | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://downloads.asterisk.org/pub/security/AST-2018-008.html
- https://security-tracker.debian.org/tracker/CVE-2018-12227
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902954
- https://issues.asterisk.org/jira/browse/ASTERISK-27818
- http://www.securityfocus.com/bid/104455
- https://security.gentoo.org/glsa/201811-11
- https://www.debian.org/security/2018/dsa-4320
Frequently Asked Questions
What is the severity of CVE-2018-12227?
The severity of CVE-2018-12227 is medium with a severity value of 5.3.
What is the affected software for CVE-2018-12227?
The affected software for CVE-2018-12227 includes Asterisk Open Source versions 13.x, 14.x, and 15.x, as well as Certified Asterisk versions 13.18-cert and 13.21-cert.
How does CVE-2018-12227 impact Asterisk Open Source?
CVE-2018-12227 in Asterisk Open Source allows endpoint specific ACL rules to respond with a 403 forbidden error when blocking a SIP request.
How can I fix CVE-2018-12227 vulnerability?
To fix CVE-2018-12227 vulnerability, it is recommended to upgrade to the patched versions of Asterisk Open Source and Certified Asterisk.
Where can I find more information about CVE-2018-12227?
You can find more information about CVE-2018-12227 on the Asterisk security advisory page and Debian security tracker.
- collector/debian-bugs
- alias/CVE-2018-12227
- collector/security-tracker-debian
- collector/nvd-index
- agent/weakness
- agent/severity
- agent/author
- agent/event
- agent/references
- agent/type
- agent/description
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- package-manager/debian
- vendor/digium
- canonical/digium asterisk
- version/digium asterisk/13.0.0
- version/digium asterisk/15.0.0
- canonical/digium certified asterisk
- version/digium certified asterisk/13.18-cert1
- version/digium certified asterisk/13.18-cert2
- version/digium certified asterisk/13.18-cert3
- version/digium certified asterisk/13.21-cert1
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0