Main Vulnerability Database Vulnerabilities #VU9148

Resource exhaustion in Certified Asterisk and Asterisk Open Source - #VU9148

Published: November 9, 2017

Vulnerability identifier: #VU9148

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-400

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Digium (Linux Support Services)

Affected software:
Certified Asterisk
Asterisk Open Source

Detailed vulnerability description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in pjsip session resource due to insufficient handling of session objects. A remote attacker can submit specially crafted session objects for processing, consume excessive resources and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

Remediation

Update Asterisk to version 13.18.1, 14.7.1, 15.1.1.
Update Certified Asterisk to version 13.13-cert7.

Sources

http://downloads.asterisk.org/pub/security/AST-2017-011.html

Resource exhaustion in Certified Asterisk and Asterisk Open Source - #VU9148

Detailed vulnerability description

Remediation

Sources

Please verify you're human