7.8

CVE-2009-2726

Exploit

The SIP channel driver in Asterisk Open Source 1.2.x before 1.2.34, 1.4.x before 1.4.26.1, 1.6.0.x before 1.6.0.12, and 1.6.1.x before 1.6.1.4; Asterisk Business Edition A.x.x, B.x.x before B.2.5.9, C.2.x before C.2.4.1, and C.3.x before C.3.1; and Asterisk Appliance s800i 1.2.x before 1.3.0.3 does not use a maximum width when invoking sscanf style functions, which allows remote attackers to cause a denial of service (stack memory consumption) via SIP packets containing large sequences of ASCII decimal characters, as demonstrated via vectors related to (1) the CSeq value in a SIP header, (2) large Content-Length value, and (3) SDP.

Data is provided by the National Vulnerability Database (NVD)
DigiumAsterisk Editionbusiness Version < b.2.5.9
DigiumAsterisk Editionbusiness Version >= c.2.0 <= c.2.4.1
DigiumAsterisk Editionbusiness Version >= c.3.0 < c.3.1
DigiumS800i Firmware Version >= 1.2.0 < 1.3.0.3
   DigiumS800i Version-
DigiumAsterisk Version >= 1.2.0 < 1.2.34
DigiumAsterisk Version >= 1.4.0 < 1.4.26.1
DigiumAsterisk Version >= 1.6.0 < 1.6.0.12
DigiumAsterisk Version >= 1.6.1 < 1.6.1.4
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 30.69% 0.965
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 7.8 10 6.9
AV:N/AC:L/Au:N/C:N/I:N/A:C
CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

http://secunia.com/advisories/36227
Vendor Advisory
Broken Link
http://www.securityfocus.com/archive/1/505669/100/0/threaded
Third Party Advisory
Broken Link
VDB Entry
http://www.securityfocus.com/bid/36015
Third Party Advisory
Exploit
Broken Link
VDB Entry
http://www.securitytracker.com/id?1022705
Third Party Advisory
Broken Link
VDB Entry