CVE-2018-7286

Name of the Vulnerable Software and Affected Versions Asterisk versions 13.19.1 and earlier, 14.x through 14.7.5, and 15.x through 15.2.1 Certified Asterisk versions 13.18-cert2 and earlier

Description An issue allows remote authenticated users to crash Asterisk by sending a number of SIP INVITE messages on a TCP or TLS connection and then suddenly closing the connection, resulting in a segmentation fault.

Recommendations For Asterisk versions 13.19.1 and earlier, consider restricting access to the res pjsip module to minimize the risk of exploitation until a patch is available. For Asterisk versions 14.x through 14.7.5, restrict the use of SIP INVITE messages on TCP or TLS connections to prevent crashes. For Asterisk versions 15.x through 15.2.1, avoid sudden closure of TCP or TLS connections after sending SIP INVITE messages. For Certified Asterisk versions 13.18-cert2 and earlier, temporarily disable the res pjsip module to prevent crashes until a patch is available.