Denial of service in Digium Asterisk

Published: 2017-11-09 15:14:06
Severity Low
Patch available YES
Number of vulnerabilities 3
CVSSv2 3 (AV:N/AC:L/Au:S/C:N/I:N/A:P/E:U/RL:OF/RC:C)
3.7 (AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
3.7 (AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
CVSSv3 3.6 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE ID N/A
CWE ID CWE-120
CWE-400
Exploitation vector Network
Public exploit Not available
Vulnerable software Certified Asterisk
Asterisk
Vulnerable software versions Certified Asterisk 13.13
Asterisk 13.15.0
Asterisk 13.14.0
Asterisk 13.13.0
Show more
Vendor URL Digium (Linux Support Services)
Advisory type Public

Security Advisory

1) Buffer overflow

Description

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists in CDR's set user due to buffer overflow when setting the user field for Party B on a call detail record (CDR). A remote attacker can send large string that is designed to write past the end of the user field storage buffer and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

Remediation

Update Asterisk to version 13.18.1, 14.7.1, 15.1.1.
Update Certified Asterisk to version 13.13-cert7.

External links

http://downloads.asterisk.org/pub/security/AST-2017-010.html

2) Resource exhaustion

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in pjsip session resource due to insufficient handling of session objects. A remote attacker can submit specially crafted session objects for processing, consume excessive resources and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

Remediation

Update Asterisk to version 13.18.1, 14.7.1, 15.1.1.
Update Certified Asterisk to version 13.13-cert7.

External links

http://downloads.asterisk.org/pub/security/AST-2017-011.html

3) Buffer overflow

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the pjproject component due to improper processing of crafted invalid values in the Cseq and the Via header port. A remote attacker can submit specially crafted invalid values, trigger buffer overflow and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

Remediation

Update Asterisk to version 13.18.1, 14.7.1, 15.1.1.
Update Certified Asterisk to version 13.13-cert7.

External links

http://downloads.asterisk.org/pub/security/AST-2017-009.html

Back to List