7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.149 Low
EPSS
Percentile
95.8%
Asterisk is an open source implementation of a telephone private branch exchange (PBX).
Asterisk fails to properly check the length of truncated video frames in the IAX2 channel driver which results in a buffer overflow.
An attacker could exploit this vulnerability by sending a specially crafted IAX2 video stream resulting in the execution of arbitrary code with the permissions of the user running Asterisk.
Disable public IAX2 support.
All Asterisk users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.0.11_p1"
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Gentoo | any | all | net-misc/asterisk | < 1.0.11_p1 | UNKNOWN |