CVE-2008-0095 : The SIP channel driver in Asterisk Open Source 1.4.x before 1.4.17, Business Edi

The SIP channel driver in Asterisk Open Source 1.4.x before 1.4.17, Business Edition before C.1.0-beta8, AsteriskNOW before beta7, Appliance Developer Kit before Asterisk 1.4 revision 95946, and Appliance s800i 1.0.x before 1.0.3.4 allows remote attackers to cause a denial of service (daemon crash) via a BYE message with an Also (Also transfer) header, which triggers a NULL pointer dereference.

Published 2008-01-08 02:46:00

Updated 2025-04-09 00:30:58

Source MITRE

View at NVD, CVE.org

Vulnerability category: Memory CorruptionDenial of service

Products affected by CVE-2008-0095

Asterisk » Asterisknow
Versions up to, including, (<=) beta_6
cpe:2.3:a:asterisk:asterisknow:*:*:*:*:*:*:*:*
Matching versions
Asterisk » Asterisk Appliance Developer Kit
Versions up to, including, (<=) 1.4_revision_95945
cpe:2.3:a:asterisk:asterisk_appliance_developer_kit:*:*:*:*:*:*:*:*
Matching versions
Asterisk » S800i
Versions up to, including, (<=) 1.0.3.3
cpe:2.3:a:asterisk:s800i:*:*:*:*:*:*:*:*
Matching versions
Asterisk » Asterisk Business Edition
Versions up to, including, (<=) c.1.0beta7
cpe:2.3:a:asterisk:asterisk_business_edition:*:*:*:*:*:*:*:*
Matching versions
Asterisk » Open Source
Versions up to, including, (<=) 1.4.16
cpe:2.3:a:asterisk:open_source:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2008-0095

EPSS FAQ

31.36%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 96 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2008-0095

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial

CWE ids for CVE-2008-0095

CWE-399

Assigned by: nvd@nist.gov (Primary)

References for CVE-2008-0095

http://downloads.digium.com/pub/security/AST-2008-001.html

Index of /pub/security/
Patch
http://bugs.digium.com/view.php?id=11637

Patch
http://www.vupen.com/english/advisories/2008/0019

Site en construction
http://secunia.com/advisories/28299

About Secunia Research | Flexera
https://exchange.xforce.ibmcloud.com/vulnerabilities/39361

Asterisk BYE/Also transfer method denial of service CVE-2008-0095 Vulnerability Report
http://secunia.com/advisories/28312

About Secunia Research | Flexera
Patch;Vendor Advisory
https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00167.html

[SECURITY] Fedora 8 Update: asterisk-1.4.17-1.fc8
http://www.securitytracker.com/id?1019152

Access Denied
http://securityreason.com/securityalert/3520

Crash from transfer using BYE with Also header - CXSecurity.com
http://www.securityfocus.com/bid/27110

Exploit;Patch
http://www.securityfocus.com/archive/1/485727/100/0/threaded
https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00166.html

[SECURITY] Fedora 7 Update: asterisk-1.4.17-1.fc7

Jump to

Vulnerability Details : CVE-2008-0095

Products affected by CVE-2008-0095

Exploit prediction scoring system (EPSS) score for CVE-2008-0095

CVSS scores for CVE-2008-0095

CWE ids for CVE-2008-0095

References for CVE-2008-0095