Think you have a false positive on this rule?

Sid 1-21673

Message

PROTOCOL-VOIP Digium Asterisk SCCP overly large mem copy attempt

Summary

The Skinny channel driver (chan_skinny) in Asterisk before 1.2.22 and 1.4.x before 1.4.8, Business Edition before B.2.2.1, AsteriskNOW before beta7, Appliance Developer Kit before 0.5.0, and s800i before 1.0.2 allows remote attackers to cause a denial of service (crash) via a certain data length value in a crafted packet, which results in an "overly large memcpy."

Impact

CVSS base score 5.0 CVSS impact score 2.9 CVSS exploitability score 10.0 confidentialityImpact NONE integrityImpact NONE availabilityImpact NONE

CVE-2007-3764:

CVSS base score 5.0

CVSS impact score 2.9

CVSS exploitability score 10.0

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

Detailed information

CVE-2007-3764: The Skinny channel driver (chan_skinny) in Asterisk before 1.2.22 and 1.4.x before 1.4.8, Business Edition before B.2.2.1, AsteriskNOW before beta7, Appliance Developer Kit before 0.5.0, and s800i before 1.0.2 allows remote attackers to cause a denial of service (crash) via a certain data length value in a crafted packet, which results in an "overly large memcpy."

Affected systems

  • asterisk asterisk 1.0
  • asterisk asterisk 1.0.6
  • asterisk asterisk 1.0.7
  • asterisk asterisk 1.0.8
  • asterisk asterisk 1.0.9
  • asterisk asterisk 1.0.10
  • asterisk asterisk 1.0.11
  • asterisk asterisk 1.0.12
  • asterisk asterisk 1.2.0_beta1
  • asterisk asterisk 1.2.0_beta2
  • asterisk asterisk 1.2.5
  • asterisk asterisk 1.2.6
  • asterisk asterisk 1.2.7
  • asterisk asterisk 1.2.8
  • asterisk asterisk 1.2.9
  • asterisk asterisk 1.2.10
  • asterisk asterisk 1.2.11
  • asterisk asterisk 1.2.12
  • asterisk asterisk 1.2.13
  • asterisk asterisk 1.2.14
  • asterisk asterisk 1.2.15
  • asterisk asterisk 1.2.16
  • asterisk asterisk 1.2.17
  • asterisk asterisk 1.4.1
  • asterisk asterisk 1.4.2
  • asterisk asterisk 1.4.4_2007-04-27
  • asterisk asterisk 1.4_beta
  • asterisk asterisk a
  • asterisk asterisk b.1.3.2
  • asterisk asterisk b.1.3.3
  • asterisk asterisk b.2.2.0
  • asterisk asteriskappliancedeveloper_kit 0.4
  • asterisk asterisknow beta_5
  • asterisk asterisknow beta_6
  • asterisk s800i_appliance 1.0
  • asterisk s800i_appliance 1.0.1

Ease of attack

CVE-2007-3764:

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

False positives

None known

False negatives

None known

Corrective action

Upgrade to the latest non-affected version of the software.

Apply the appropriate vendor supplied patches.

Contributors

  • Talos research team.
  • This document was generated from data supplied by the national vulnerability database, a product of the national institute of standards and technology.
  • For more information see nvd.

Additional References