CVE-2011-0495

Name of the Vulnerable Software and Affected Versions Asterisk Open Source versions prior to 1.4.38.1 Asterisk Open Source versions prior to 1.4.39.1 Asterisk Open Source versions prior to 1.6.1.21 Asterisk Open Source versions prior to 1.6.2.15.1 Asterisk Open Source versions prior to 1.6.2.16.1 Asterisk Open Source versions prior to 1.8.1.2 Asterisk Open Source versions prior to 1.8.2 Asterisk Business Edition versions prior to C.3.6.2

Description The issue is a stack-based buffer overflow in the ast uri encode function. This occurs when the software is running in pedantic mode and allows remote authenticated users to execute arbitrary code via crafted caller ID data. The vulnerability can be exploited through vectors involving the SIP channel driver, the URIENCODE dialplan function, or the AGI dialplan function.

Recommendations For Asterisk Open Source versions prior to 1.4.38.1, update to version 1.4.38.1 or later. For Asterisk Open Source versions prior to 1.4.39.1, update to version 1.4.39.1 or later. For Asterisk Open Source versions prior to 1.6.1.21, update to version 1.6.1.21 or later. For Asterisk Open Source versions prior to 1.6.2.15.1, update to version 1.6.2.15.1 or later. For Asterisk Open Source versions prior to 1.6.2.16.1, update to version 1.6.2.16.1 or later. For Asterisk Open Source versions prior to 1.8.1.2, update to version 1.8.1.2 or later. For Asterisk Open Source versions prior to 1.8.2, update to version 1.8.2 or later. For Asterisk Business Edition versions prior to C.3.6.2, update to version C.3.6.2 or later.