vendor:
Asterisk PBX
by:
kfinisterre[at]secnetops[dot]com
7.5
CVSS
HIGH
Format String Vulnerabilities
Not mentioned
CWE
Product Name: Asterisk PBX
Affected Version From: 0.7.0
Affected Version To: 2000.7.2
Patch Exists: NO
Related CWE: Not mentioned
CPE: Not mentioned
Platforms Tested: Linux
Not mentioned
Asterisk Format String Vulnerabilities
Asterisk is susceptible to format string vulnerabilities in its logging functions. An attacker may use these vulnerabilities to corrupt memory, and read or write arbitrary memory. Remote code execution is likely possible. Due to the nature of these vulnerabilities, there may exist many different avenues of attack. Anything that can potentially call the logging functions with user-supplied data is vulnerable.
Mitigation:
Patch or upgrade to a non-vulnerable version.