PT-2018-17999 · Sangoma · Asterisk

Sébastien Duthil

Published

2018-02-22

Updated

2018-03-21

CVE-2018-7285

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Asterisk versions 15.x through 15.2.1

Description A NULL pointer access issue was discovered in the RTP support of Asterisk. The issue arises when an RTP packet is received and the internal registry of dynamic codecs and desired payload numbers is consulted. If the payload number corresponds to a codec of a different type than the RTP stream, a crash can occur if no stream of that type has been negotiated. This is due to the code incorrectly assuming that a stream of that type would always exist.

Recommendations For Asterisk versions 15.x through 15.2.1, update to a version that contains a fix for this issue to prevent potential crashes.

Fix

NULL Pointer Dereference

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-476

Related Identifiers

CVE-2018-7285

Affected Products

Asterisk

PT-2018-17999 · Sangoma · Asterisk

CVE-2018-7285

Weakness Enumeration

Related Identifiers

Affected Products

References · 6