Denial of service in Digium Asterisk

Published: 2017-12-21 00:00:00
Severity Low
Patch available YES
Number of vulnerabilities 1
CVSSv2 3 (AV:N/AC:L/Au:S/C:N/I:N/A:P/E:U/RL:OF/RC:C)
CVSSv3 5.5 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE ID CVE-2017-17850
CWE ID CWE-20
Exploitation vector Network
Public exploit Not available
Vulnerable software Asterisk
Vulnerable software versions Asterisk 13.18.4
Asterisk 13.18.3
Asterisk 13.18.0
Show more
Vendor URL Digium (Linux Support Services)
Advisory type Public

Security Advisory

1) Improper input validation

Description

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The vulnerability exists due to an error when processing malicious SIP data. A remote attacker can send specially crafted SIP data without a contact header, trigger an error in the PJSIP channel driver and cause the service to crash.

Successful exploitation of the vulnerability results in denial of service.

Remediation

The vulnerability is addressed in the following version.

External links

http://downloads.asterisk.org/pub/security/AST-2017-014.html

Back to List