SB2017110903 - Denial of service in Digium Asterisk

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2017110903

SB2017110903 - Denial of service in Digium Asterisk

Published: November 9, 2017

Security Bulletin ID SB2017110903
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Partial DoS

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Buffer overflow (CVE-ID: N/A)

CWE-ID: CWE-120 - Buffer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists in CDR's set user due to buffer overflow when setting the user field for Party B on a call detail record (CDR). A remote attacker can send large string that is designed to write past the end of the user field storage buffer and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

2) Resource exhaustion (CVE-ID: N/A)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in pjsip session resource due to insufficient handling of session objects. A remote attacker can submit specially crafted session objects for processing, consume excessive resources and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

3) Buffer overflow (CVE-ID: N/A)

CWE-ID: CWE-120 - Buffer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the pjproject component due to improper processing of crafted invalid values in the Cseq and the Via header port. A remote attacker can submit specially crafted invalid values, trigger buffer overflow and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

Remediation

Install update from vendor's website.

References