BID:58756

Multiple Asterisk Products CVE-2013-2686 'Content-Length' Header Denial of Service Vulnerability

Info

Multiple Asterisk Products CVE-2013-2686 'Content-Length' Header Denial of Service Vulnerability

Bugtraq ID:	58756
Class:	Unknown
CVE:	CVE-2013-2686
Remote:	Yes
Local:	No
Published:	Mar 27 2013 12:00AM
Updated:	Apr 13 2015 09:13PM
Credit:	Christoph Hebeisen, TELUS Security Labs
Vulnerable:	Mandriva Business Server 1 X86 64 Mandriva Business Server 1 Asterisk Certified Asterisk 1.8.15-cert1 Asterisk Asterisk Open Source 11.2.1 Asterisk Asterisk Open Source 11.2 Asterisk Asterisk Open Source 11.1.2 Asterisk Asterisk Open Source 10.12.1 Asterisk Asterisk Open Source 10.12 Asterisk Asterisk Open Source 1.8.20 1 Asterisk Asterisk Open Source 1.8.20 0 Asterisk Asterisk Open Source 10.11.1 Asterisk Asterisk Open Source 1.8.19.1 Asterisk Asterisk Digiumphones 10.12.1-digiumphones Asterisk Asterisk Digiumphones 10.12.0-digiumphones Asterisk Asterisk Digiumphones 10.11.1-digiumphones

Not Vulnerable:	Asterisk Certified Asterisk 1.8.15-cert2 Asterisk Asterisk Open Source 11.2.2 Asterisk Asterisk Open Source 10.12.2 Asterisk Asterisk Open Source 1.8.20 2 Asterisk Asterisk Digiumphones 10.12.2-digiumphones

Discussion

Multiple Asterisk Products CVE-2013-2686 'Content-Length' Header Denial of Service Vulnerability

Multiple Asterisk products are prone to a remote denial-of-service vulnerability.

Attackers can exploit this issue to crash the application, resulting in denial-of-service conditions.

The following products are vulnerable:

Asterisk Open Source
Certified Asterisk
Asterisk Digiumphones

Exploit / POC

Multiple Asterisk Products CVE-2013-2686 'Content-Length' Header Denial of Service Vulnerability

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Solution / Fix

Multiple Asterisk Products CVE-2013-2686 'Content-Length' Header Denial of Service Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

Mandriva Business Server 1 X86 64

Mandriva asterisk-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-addons-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-devel-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-firmware-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-alsa-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-calendar-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-cel-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-corosync-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-curl-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-dahdi-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-fax-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-festival-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-ices-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-jabber-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-jack-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-ldap-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-lua-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-minivm-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-mobile-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-mp3-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-mysql-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-ooh323-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-osp-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-oss-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-pgsql-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-pktccops-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-portaudio-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-radius-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-saycountpl-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-skinny-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-snmp-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-speex-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-sqlite-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-tds-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-unistim-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-voicemail-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-voicemail-imap-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva asterisk-plugins-voicemail-plain-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva lib64asteriskssl1-11.2.2-1.mbs1.x86_64.rpm
http://www.mandriva.com/en/downloads/

References

Multiple Asterisk Products CVE-2013-2686 'Content-Length' Header Denial of Service Vulnerability

References:

Asterisk Homepage (Asterisk)
Asterisk Project Security Advisory - AST-2013-002 (Asterisk)