PT-2017-15045 · Sangoma · Asterisk
Ross Beer
+1
·
Published
2017-12-23
·
Updated
2018-11-25
·
CVE-2017-17850
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Asterisk versions 13.18.4 and older
Asterisk versions 14.7.4 and older
Asterisk versions 15.1.4 and older
Asterisk versions 13.18-cert1 and older
Description
An issue was discovered where certain SIP messages can cause Asterisk to crash if the contact header is not present and the PJSIP channel driver is used. The severity of this issue is somewhat mitigated if authentication is enabled, as a user would have to be authorized first before reaching the point where the crash occurs.
Recommendations
For Asterisk versions 13.18.4 and older, consider disabling the PJSIP channel driver until a patch is available.
For Asterisk versions 14.7.4 and older, consider disabling the PJSIP channel driver until a patch is available.
For Asterisk versions 15.1.4 and older, consider disabling the PJSIP channel driver until a patch is available.
For Asterisk versions 13.18-cert1 and older, consider disabling the PJSIP channel driver until a patch is available.
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Asterisk