PT-2017-13574 · Sangoma · Asterisk
Richard Mudgett
+1
·
Published
2017-10-03
·
Updated
2017-11-05
·
CVE-2017-14603
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Asterisk versions 11.x through 11.25.2
Asterisk versions 13.x through 13.17.1
Asterisk versions 14.x through 14.6.1
Certified Asterisk versions 11.x through 11.6-cert17
Certified Asterisk versions 13.x through 13.13-cert5
Description
The issue is related to insufficient RTCP packet validation, which could allow reading stale buffer contents. When combined with the
nat and symmetric rtp options, it allows redirecting where Asterisk sends the next RTCP report.Recommendations
For Asterisk versions 11.x through 11.25.2, update to version 11.25.3 or later.
For Asterisk versions 13.x through 13.17.1, update to version 13.17.2 or later.
For Asterisk versions 14.x through 14.6.1, update to version 14.6.2 or later.
For Certified Asterisk versions 11.x through 11.6-cert17, update to version 11.6-cert18 or later.
For Certified Asterisk versions 13.x through 13.13-cert5, update to version 13.13-cert6 or later.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Asterisk