Release date:
Updated on:
Affected Systems:
Asterisk Business Edition C.3.7.4
Asterisk Business Edition C.3.7.3
Asterisk Business Edition C.3.6.4
Asterisk Business Edition C.3.6.3
Asterisk Business Edition C.3.6.2
Asterisk Business Edition C.3.3.2
Asterisk Business Edition C.3.2 3
Asterisk Business Edition C.3.2 2
Asterisk Business Edition C.3.1.0
Asterisk Business Edition C.3.1 1
Asterisk Business Edition
Description:
--------------------------------------------------------------------------------
Bugtraq id: 55335
Cve id: CVE-2012-4737
Asterisk is a free and open-source software that enables the Telephone User Switch (PBX) function.
Asterisk Open Source 1.8.15.1 before 1.8.x, 10.7.1 before 10.x, Certified Asterisk 1.8.11-cert7 before 1.8.11, Asterisk Digiumphones 10.7.1-digiumphones before 10. x. channels/chan_iax2.c in C.3.x versions earlier than x-digiumphones and Asterisk Business Edition C.3.7.6 do not execute ACL rules when using peer-to-peer creden. The Security Restriction Bypass Vulnerability exists, allow authenticated remote users to bypass the target outgoing call restrictions using these creden.
<* Source: Alan Frisch
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Asterisk
--------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://downloads.asterisk.org/pub/security/