{"vuid":"VU#521252","idnumber":"521252","name":"Integer overflow vulnerability in Asterisk driver for Cisco SCCP-enabled phones","keywords":["Asterisk","Skinny channel driver","Cisco SCCP phones","integer overflow","get_input() function","chan_skinny.c"],"overview":"Asterisk contains an integer overflow vulnerability. This vulnerability may allow an attacker to run arbitrary code.","clean_desc":"Asterisk is an open-source PBX software package that provides voicemail, three-way calling, and other features. Skinny Client Control Protocol (SCCP) is a proprietary Cisco protocol that is used to connect Cisco Call Managers and Cisco Voice over IP (VOIP) phones. Asterisk provides a driver for phones that use the SCCP protocol called chan_skinny. An integer overflow vulnerability exists in the get_input(struct skinnysession *s) function which is found in the chan_skinny driver. Exploitation of this vulnerability may allow an attacker to execute arbitrary code. Note that the chan_skinny driver only needs to be installed and loaded for a system to be vulnerable.","impact":"A remote, unauthenticated attacker may be able to execute arbitrary code with root privileges.","resolution":"Update\nThe Asterisk Development Team has released an update to address this issue. See Asterisk update 1.2.13 and 1.0.12 for more details.","workarounds":"Restrict access\nRestricting network access to port 2000/tcp on the Asterisk server may limit exposure to this vulnerability. Do not load unnecessary drivers\nAdding noload=>chan_skinny.so to the modules.conf file will prevent the vulnerable driver from loading at startup time.","sysaffected":"","thanks":"This vulnerability report was based on information from Adam Boileau of Security-Assessment.com.","author":"This document was written by Ryan Giobbi.","public":["http://lists.grok.org.uk/pipermail/full-disclosure/2006-October/050171.html","http://secunia.com/advisories/22480/","http://www.asterisk.org/node/109","http://www.cisco.com/en/US/tech/tk652/tk701/tk589/tsd_technology_support_sub-protocol_home.html","http://www.asterisk.org/node/108","http://secunia.com/advisories/22651/","http://secunia.com/advisories/22979/","http://secunia.com/advisories/23212/","http://www.securityfocus.com/bid/20617"],"cveids":["CVE-2006-5444"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2006-10-20T18:13:26Z","publicdate":"2006-10-18T00:00:00Z","datefirstpublished":"2006-10-24T16:58:21Z","dateupdated":"2007-01-19T17:44:13Z","revision":40,"vrda_d1_directreport":"0","vrda_d1_population":"2","vrda_d1_impact":"3","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"4","cam_population":"3","cam_impact":"14","cam_easeofexploitation":"17","cam_attackeraccessrequired":"15","cam_scorecurrent":"3.8154375","cam_scorecurrentwidelyknown":"4.8195","cam_scorecurrentwidelyknownexploited":"8.83575","ipprotocol":"tcp","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":3.8154375,"vulnote":null}