#VU9147 Buffer overflow in Certified Asterisk and Asterisk Open Source
Vulnerability identifier: #VU9147
Vulnerability risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-120
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Certified Asterisk
Server applications /
Conferencing, Collaboration and VoIP solutions
Asterisk Open Source
Server applications /
Conferencing, Collaboration and VoIP solutions
Vendor: Digium (Linux Support Services)
Description
The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.
The weakness exists in CDR's set user due to buffer overflow when setting the user field for Party B on a call detail record (CDR). A remote attacker can send large string that is designed to write past the end of the user field storage buffer and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Mitigation
Update Asterisk to version 13.18.1, 14.7.1, 15.1.1.
Update Certified Asterisk to version 13.13-cert7.
Vulnerable software versions
Certified Asterisk: 13.13
Asterisk Open Source: 13.0.0 - 13.18.0, 14.0 - 14.7.0, 15.0.0 - 15.1.0
External links
http://downloads.asterisk.org/pub/security/AST-2017-010.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
