CVE-2006-2898
asterisk - several
EPSS 0.32%
Description
The IAX2 channel driver (chan_iax2) for Asterisk 1.2.x before 1.2.9 and 1.0.x before 1.0.11 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via truncated IAX 2 (IAX2) video frames, which bypasses a length check and leads to a buffer overflow involving negative length check. NOTE: the vendor advisory claims that only a DoS is possible, but the original researcher is reliable.
How to fix CVE-2006-2898
To remediate CVE-2006-2898, upgrade the affected package to a fixed version below.
- Debian/asterisk—upgrade to 1:1.2.10.dfsg-2 or later
- —upgrade to 1:1.0.7.dfsg.1-2sarge3 or later
- —upgrade to 0.1.8.dfsg-2 or later
Is CVE-2006-2898 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 1:1.2.10.dfsg-2
- from 0, < 1:1.0.7.dfsg.1-2sarge3
- from 0, < 0.1.8.dfsg-2