Main Vulnerability Database Vulnerabilities #VU14912

Stack-based buffer overflow in Certified Asterisk and Asterisk Open Source - CVE-2018-17281

Published: September 24, 2018

Vulnerability identifier: #VU14912

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2018-17281

CWE-ID: CWE-121

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Digium (Linux Support Services)

Affected software:
Certified Asterisk
Asterisk Open Source

Detailed vulnerability description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when processing HTTP requests within "res_http_websocket.so" module. A remote unauthenticated attacker can send a specially crafted HTTP request that triggers an HTTP websocket upgrade, causes stack overflow and consumes all available stack memory on the system.

Successful exploitation of this vulnerability may result in denial of service attack.

How to mitigate CVE-2018-17281

Install updates from vendor's website.

Sources

http://downloads.asterisk.org/pub/security/AST-2018-009.html

Stack-based buffer overflow in Certified Asterisk and Asterisk Open Source - CVE-2018-17281

Detailed vulnerability description

How to mitigate CVE-2018-17281

Sources

Please verify you're human