#VU14912 Stack-based buffer overflow in Certified Asterisk and Asterisk Open Source - CVE-2018-17281
Published: September 24, 2018
Vulnerability identifier: #VU14912
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2018-17281
CWE-ID: CWE-121
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Certified Asterisk
Asterisk Open Source
Certified Asterisk
Asterisk Open Source
Software vendor:
Digium (Linux Support Services)
Digium (Linux Support Services)
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error when processing HTTP requests within "res_http_websocket.so" module. A remote unauthenticated attacker can send a specially crafted HTTP request that triggers an HTTP websocket upgrade, causes stack overflow and consumes all available stack memory on the system.
Successful exploitation of this vulnerability may result in denial of service attack.
Remediation
Install updates from vendor's website.