Insufficient Randomness in Asterisk GUI HTTP Server
CVE-2008-1390

Currently unrated

Key Information:

Vendor: Asterisk
Status: Asterisk; Asterisk Appliance Developer Kit; S800i; Asterisknow
Vendor: CVE Published:; 24 March 2008

Summary

The AsteriskGUI HTTP server in various versions of Asterisk, including Open Source and Business Edition, generates manager ID values that lack sufficient randomness. This predictability allows attackers to more easily guess valid manager IDs, potentially enabling them to hijack sessions. Users of affected Asterisk versions are recommended to upgrade to the latest versions to mitigate this vulnerability.

References

http://securityreason.com/securityalert/3764

third-party-advisoryx_refsource_SREASON

http://www.securityfocus.com/bid/28316

vdb-entryx_refsource_BID

http://www.securityfocus.com/archive/1/489819/100/0/threaded

mailing-listx_refsource_BUGTRAQ

Timeline

Vulnerability published
Mar 24, 2008
Vulnerability Reserved
Mar 18, 2008