#VU9147 Buffer overflow in Certified Asterisk and Asterisk Open Source
Published: November 9, 2017
Vulnerability identifier: #VU9147
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-120
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Certified Asterisk
Asterisk Open Source
Certified Asterisk
Asterisk Open Source
Software vendor:
Digium (Linux Support Services)
Digium (Linux Support Services)
Description
The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.
The weakness exists in CDR's set user due to buffer overflow when setting the user field for Party B on a call detail record (CDR). A remote attacker can send large string that is designed to write past the end of the user field storage buffer and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
The weakness exists in CDR's set user due to buffer overflow when setting the user field for Party B on a call detail record (CDR). A remote attacker can send large string that is designed to write past the end of the user field storage buffer and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Remediation
Update Asterisk to version 13.18.1, 14.7.1, 15.1.1.
Update Certified Asterisk to version 13.13-cert7.
Update Certified Asterisk to version 13.13-cert7.