#VU9736 Improper input validation in Asterisk Open Source - CVE-2017-17850
Published: December 23, 2017 / Updated: December 25, 2017
Vulnerability identifier: #VU9736
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-17850
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Asterisk Open Source
Asterisk Open Source
Software vendor:
Digium (Linux Support Services)
Digium (Linux Support Services)
Description
The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.
The vulnerability exists due to an error when processing malicious SIP data. A remote attacker can send specially crafted SIP data without a contact header, trigger an error in the PJSIP channel driver and cause the service to crash.
Successful exploitation of the vulnerability results in denial of service.
Remediation
The vulnerability is addressed in the following version.