製品・ソフトウェアに関する情報

JVN脆弱性詳細

Asterisk Open Source の AsteriskGUI HTTP サーバにおける管理者のセッションをハイジャックされる脆弱性

Title	Asterisk Open Source の AsteriskGUI HTTP サーバにおける管理者のセッションをハイジャックされる脆弱性
Summary	Asterisk Open Source、Business Edition、AsteriskNOW、Appliance Developer Kit および s800i の AsteriskGUI HTTP サーバは、不十分にランダムな管理者 ID 値を生成するため、管理者のセッションをハイジャックされる脆弱性が存在します。
Possible impacts	第三者により、一連の ID の推測を介して、管理者のセッションをハイジャックされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 18, 2008, midnight
Registration Date	June 26, 2012, 4:02 p.m.
Last Update	June 26, 2012, 4:02 p.m.

CVSS2.0 : 危険
Score	9.3
Vector	AV:N/AC:M/Au:N/C:C/I:C/A:C

Affected System

Digium

Asterisk Open Source の 1.4.19-rc3 未満の 1.4.x、1.6.0-beta6 未満の 1.6.x

Asterisk Appliance Developer Kit revision 104704 未満

Asterisk Business Edition C.1.6 未満の C.x.x

AsteriskNOW 1.0.2

s800i 1.1.0.2 未満の 1.0.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2008-1390	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1390
National Vulnerability Database (NVD)
2	CVE-2008-1390	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1390

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-255	https://jvndb.jvn.jp/ja/cwe/CWE-255.html

ベンダー情報

No	Name	URL
Asterisk
1	AST-2008-005	http://downloads.asterisk.org/pub/security/AST-2008-005.html

Change Log

No	Changed Details	Date of change
0	[2012年06月26日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2008-1390

Summary	The AsteriskGUI HTTP server in Asterisk Open Source 1.4.x before 1.4.19-rc3 and 1.6.x before 1.6.0-beta6, Business Edition C.x.x before C.1.6, AsteriskNOW before 1.0.2, Appliance Developer Kit before revision 104704, and s800i 1.0.x before 1.1.0.2 generates insufficiently random manager ID values, which makes it easier for remote attackers to hijack a manager session via a series of ID guesses.
Publication Date	March 25, 2008, 2:44 a.m.
Registration Date	Jan. 29, 2021, 1:33 p.m.
Last Update	Oct. 12, 2018, 5:33 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:asterisk:asterisk:1.4.1:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.2:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.3:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.4:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.5:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.6:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.7:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.8:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.9:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.10:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.11:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.12:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.13:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.14:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.15:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.16:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.17:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.18.1:::::::*
cpe:2.3:a:asterisk:asterisk:1.4_beta:::::::*
cpe:2.3:a:asterisk:asterisk:1.4_revision_95946:::::::*
cpe:2.3:a:asterisk:asterisk:1.6:::::::*
cpe:2.3:a:asterisk:asterisk_appliance_developer_kit:0.2:::::::*
cpe:2.3:a:asterisk:asterisk_appliance_developer_kit:0.3:::::::*
cpe:2.3:a:asterisk:asterisk_appliance_developer_kit:0.4:::::::*
cpe:2.3:a:asterisk:asterisk_appliance_developer_kit:0.5:::::::*
cpe:2.3:a:asterisk:asterisk_appliance_developer_kit:0.6:::::::*
cpe:2.3:a:asterisk:asterisk_appliance_developer_kit:0.7:::::::*
cpe:2.3:a:asterisk:asterisk_appliance_developer_kit:0.8:::::::*
cpe:2.3:a:asterisk:asterisk_appliance_developer_kit:1.4:::::::*
cpe:2.3:a:asterisk:asterisk_business_edition:c.1.0-beta7:::::::*
cpe:2.3:a:asterisk:asterisk_business_edition:c.1.0-beta8:::::::*
cpe:2.3:a:asterisk:asterisknow:1.0:::::::*
cpe:2.3:a:asterisk:asterisknow:beta_5:::::::*
cpe:2.3:a:asterisk:asterisknow:beta_6:::::::*
cpe:2.3:a:asterisk:asterisknow:beta_7:::::::*
cpe:2.3:a:asterisk:s800i:1.0:::::::*
cpe:2.3:a:asterisk:s800i:1.0.1:::::::*
cpe:2.3:a:asterisk:s800i:1.0.2:::::::*
cpe:2.3:a:asterisk:s800i:1.0.3:::::::*
cpe:2.3:a:asterisk:s800i:1.1.0:::::::*

Related information, measures and tools

No	URL	refsource	タグ
1	http://downloads.digium.com/pub/security/AST-2008-005.html	CONFIRM
2	http://secunia.com/advisories/29449	SECUNIA	Vendor Advisory
3	http://secunia.com/advisories/29470	SECUNIA
4	http://securityreason.com/securityalert/3764	SREASON
5	http://www.securityfocus.com/archive/1/489819/100/0/threaded	BUGTRAQ
6	http://www.securityfocus.com/bid/28316	BID
7	http://www.securitytracker.com/id?1019679	SECTRACK
8	https://exchange.xforce.ibmcloud.com/vulnerabilities/41304	XF
9	https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00438.html	FEDORA
10	https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00514.html	FEDORA

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-255	証明書・パスワード管理	https://cwe.mitre.org/data/definitions/255.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:asterisk:asterisk:1.4.1:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.2:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.3:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.4:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.5:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.6:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.7:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.8:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.9:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.10:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.11:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.12:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.13:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.14:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.15:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.16:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.17:::::::*
cpe:2.3:a:asterisk:asterisk:1.4.18.1:::::::*
cpe:2.3:a:asterisk:asterisk:1.4_beta:::::::*
cpe:2.3:a:asterisk:asterisk:1.4_revision_95946:::::::*
cpe:2.3:a:asterisk:asterisk:1.6:::::::*
cpe:2.3:a:asterisk:asterisk_appliance_developer_kit:0.2:::::::*
cpe:2.3:a:asterisk:asterisk_appliance_developer_kit:0.3:::::::*
cpe:2.3:a:asterisk:asterisk_appliance_developer_kit:0.4:::::::*
cpe:2.3:a:asterisk:asterisk_appliance_developer_kit:0.5:::::::*
cpe:2.3:a:asterisk:asterisk_appliance_developer_kit:0.6:::::::*
cpe:2.3:a:asterisk:asterisk_appliance_developer_kit:0.7:::::::*
cpe:2.3:a:asterisk:asterisk_appliance_developer_kit:0.8:::::::*
cpe:2.3:a:asterisk:asterisk_appliance_developer_kit:1.4:::::::*
cpe:2.3:a:asterisk:asterisk_business_edition:c.1.0-beta7:::::::*
cpe:2.3:a:asterisk:asterisk_business_edition:c.1.0-beta8:::::::*
cpe:2.3:a:asterisk:asterisknow:1.0:::::::*
cpe:2.3:a:asterisk:asterisknow:beta_5:::::::*
cpe:2.3:a:asterisk:asterisknow:beta_6:::::::*
cpe:2.3:a:asterisk:asterisknow:beta_7:::::::*
cpe:2.3:a:asterisk:s800i:1.0:::::::*
cpe:2.3:a:asterisk:s800i:1.0.1:::::::*
cpe:2.3:a:asterisk:s800i:1.0.2:::::::*
cpe:2.3:a:asterisk:s800i:1.0.3:::::::*
cpe:2.3:a:asterisk:s800i:1.1.0:::::::*