Published: 24/09/2018 Updated: 03/10/2019

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

There is a stack consumption vulnerability in the res_http_websocket.so module of Asterisk up to and including 13.23.0, 14.7.x up to and including 14.7.7, and 15.x up to and including 15.6.0 and Certified Asterisk up to and including 13.21-cert2. It allows an malicious user to crash Asterisk via a specially crafted HTTP request to upgrade the connection to a websocket.

Vulnerable Product	Search on Vulmon	Subscribe to Product
digium asterisk
digium certified asterisk 13.13
digium certified asterisk 13.1
digium certified asterisk 11.6
digium certified asterisk 13.21
digium certified asterisk 13.8
debian debian linux 8.0
debian debian linux 9.0

Multiple vulnerabilities have been discovered in Asterisk, an open source PBX and telephony toolkit, which may result in denial of service or information disclosure For the stable distribution (stretch), these problems have been fixed in version 1:13141~dfsg-2+deb9u4 We recommend that you upgrade your asterisk packages For the detailed securit ...

Debian Bug report logs - #891228 asterisk: CVE-2018-7286: AST-2018-005: Crash when large numbers of TCP connections are closed suddenly Package: src:asterisk; Maintainer for src:asterisk is Debian VoIP Team <pkg-voip-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, ...

Debian Bug report logs - #909554 asterisk: CVE-2018-17281: Remote crash vulnerability in HTTP websocket upgrade Package: src:asterisk; Maintainer for src:asterisk is Debian VoIP Team <pkg-voip-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 25 Sep 2018 05:27:01 UT ...

Debian Bug report logs - #891227 asterisk: CVE-2018-7284: AST-2018-004: Crash when receiving SUBSCRIBE request Package: src:asterisk; Maintainer for src:asterisk is Debian VoIP Team <pkg-voip-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 23 Feb 2018 15:09:02 UTC ...

Full Disclosure mailing list archives   By Date By Thread </form>    AST-2018-009: Remote crash vulnerability in HTTP websocket upgrade  <!--X-Head-of-Message-- ...

CWE-400 https://seclists.org/bugtraq/2018/Sep/53 https://issues.asterisk.org/jira/browse/ASTERISK-28013 http://www.securitytracker.com/id/1041694 http://seclists.org/fulldisclosure/2018/Sep/31 http://packetstormsecurity.com/files/149453/Asterisk-Project-Security-Advisory-AST-2018-009.html http://downloads.asterisk.org/pub/security/AST-2018-009.html http://www.securityfocus.com/bid/105389 https://lists.debian.org/debian-lts-announce/2018/09/msg00034.html https://www.debian.org/security/2018/dsa-4320 https://security.gentoo.org/glsa/201811-11 https://nvd.nist.gov https://www.debian.org/security/./dsa-4320

CVE-2018-17281

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Mailing Lists

References

Vulmon Search

About

Products

Connect