Buffer overflow in Certified Asterisk and Asterisk Open Source - #VU9147
Published: November 9, 2017
Vulnerability identifier: #VU9147
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-120
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Digium (Linux Support Services)
Affected software:
Certified Asterisk
Asterisk Open Source
Certified Asterisk
Asterisk Open Source
Detailed vulnerability description
The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.
The weakness exists in CDR's set user due to buffer overflow when setting the user field for Party B on a call detail record (CDR). A remote attacker can send large string that is designed to write past the end of the user field storage buffer and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
The weakness exists in CDR's set user due to buffer overflow when setting the user field for Party B on a call detail record (CDR). A remote attacker can send large string that is designed to write past the end of the user field storage buffer and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Remediation
Update Asterisk to version 13.18.1, 14.7.1, 15.1.1.
Update Certified Asterisk to version 13.13-cert7.
Update Certified Asterisk to version 13.13-cert7.