SB2017110903 - Denial of service in Digium Asterisk
Published: November 9, 2017
Security Bulletin ID
SB2017110903
Severity
Low
Patch available
YES
Number of vulnerabilities
3
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.The weakness exists in CDR's set user due to buffer overflow when setting the user field for Party B on a call detail record (CDR). A remote attacker can send large string that is designed to write past the end of the user field storage buffer and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
2) Resource exhaustion (CVE-ID: N/A)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists in pjsip session resource due to insufficient handling of session objects. A remote attacker can submit specially crafted session objects for processing, consume excessive resources and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
3) Buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists in the pjproject component due to improper processing of crafted invalid values in the Cseq and the Via header port. A remote attacker can submit specially crafted invalid values, trigger buffer overflow and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Remediation
Install update from vendor's website.