Denial of service in Asterisk Open Source - CVE-2018-7286
Published: February 26, 2018 / Updated: June 17, 2021
Vulnerability identifier: #VU10713
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:P/U:Clear
CVE-ID: CVE-2018-7286
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: Digium (Linux Support Services)
Affected software:
Asterisk Open Source
Asterisk Open Source
Detailed vulnerability description
The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.
The weakness exists due to improper processing of INVITE messages received via the TCP or Transport Layer Security (TLS) protocols. A remote attacker can send a series of specially crafted INVITE messages over a TCP or TLS connection, trigger a segmentation fault and cause the system to crash.
The weakness exists due to improper processing of INVITE messages received via the TCP or Transport Layer Security (TLS) protocols. A remote attacker can send a series of specially crafted INVITE messages over a TCP or TLS connection, trigger a segmentation fault and cause the system to crash.
How to mitigate CVE-2018-7286
Update to version 13.19.2, 14.7.6, 15.2.2.