CVE-2006-2898

2006-06-0710:02:00

CWE-119

[email protected]

web.nvd.nist.gov

cve-2006-2898

iax2

asterisk

channel driver

denial of service

remote attackers

arbitrary code

buffer overflow

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

7.9 High

AI Score

Confidence

Low

0.149 Low

EPSS

Percentile

95.8%

JSON

The IAX2 channel driver (chan_iax2) for Asterisk 1.2.x before 1.2.9 and 1.0.x before 1.0.11 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via truncated IAX 2 (IAX2) video frames, which bypasses a length check and leads to a buffer overflow involving negative length check. NOTE: the vendor advisory claims that only a DoS is possible, but the original researcher is reliable.

Affected configurations

NVD

Node

digiumasteriskMatch1.0.7

digiumasteriskMatch1.0.8

digiumasteriskMatch1.0.9

digiumasteriskMatch1.0.10

digiumasteriskMatch1.2.0_beta1

digiumasteriskMatch1.2.0_beta2

digiumasteriskMatch1.2.6

digiumasteriskMatch1.2.7

digiumasteriskMatch1.2.8

CPENameOperatorVersion
digium:asteriskdigium asteriskeq1.0.7
digium:asteriskdigium asteriskeq1.0.8
digium:asteriskdigium asteriskeq1.0.9
digium:asteriskdigium asteriskeq1.0.10
digium:asteriskdigium asteriskeq1.2.0_beta1
digium:asteriskdigium asteriskeq1.2.0_beta2
digium:asteriskdigium asteriskeq1.2.6
digium:asteriskdigium asteriskeq1.2.7
digium:asteriskdigium asteriskeq1.2.8

CPE	Name	Operator	Version
digium:asterisk	digium asterisk	eq	1.0.7
digium:asterisk	digium asterisk	eq	1.0.8
digium:asterisk	digium asterisk	eq	1.0.9
digium:asterisk	digium asterisk	eq	1.0.10
digium:asterisk	digium asterisk	eq	1.2.0_beta1
digium:asterisk	digium asterisk	eq	1.2.0_beta2
digium:asterisk	digium asterisk	eq	1.2.6
digium:asterisk	digium asterisk	eq	1.2.7
digium:asterisk	digium asterisk	eq	1.2.8