Vulnerability Details CVE-2018-17281
There is a stack consumption vulnerability in the res_http_websocket.so module of Asterisk through 13.23.0, 14.7.x through 14.7.7, and 15.x through 15.6.0 and Certified Asterisk through 13.21-cert2. It allows an attacker to crash Asterisk via a specially crafted HTTP request to upgrade the connection to a websocket.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.806
EPSS Ranking 99.1%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- http://downloads.asterisk.org/pub/security/AST-2018-009.html
- http://packetstormsecurity.com/files/149453/Asterisk-Project-Security-Advisory-AST-2018-009.html
- http://seclists.org/fulldisclosure/2018/Sep/31
- http://www.securityfocus.com/bid/105389
- http://www.securitytracker.com/id/1041694
- https://issues.asterisk.org/jira/browse/ASTERISK-28013
- https://lists.debian.org/debian-lts-announce/2018/09/msg00034.html
- https://seclists.org/bugtraq/2018/Sep/53
- https://security.gentoo.org/glsa/201811-11
- https://www.debian.org/security/2018/dsa-4320
- http://downloads.asterisk.org/pub/security/AST-2018-009.html
- http://packetstormsecurity.com/files/149453/Asterisk-Project-Security-Advisory-AST-2018-009.html
- http://seclists.org/fulldisclosure/2018/Sep/31
- http://www.securityfocus.com/bid/105389
- http://www.securitytracker.com/id/1041694
- https://issues.asterisk.org/jira/browse/ASTERISK-28013
- https://lists.debian.org/debian-lts-announce/2018/09/msg00034.html
- https://seclists.org/bugtraq/2018/Sep/53
- https://security.gentoo.org/glsa/201811-11
- https://www.debian.org/security/2018/dsa-4320
Products affected by CVE-2018-17281
-
cpe:2.3:a:digium:asterisk:13.0.0
-
cpe:2.3:a:digium:asterisk:13.1.0
-
cpe:2.3:a:digium:asterisk:13.10.0
-
cpe:2.3:a:digium:asterisk:13.11.0
-
cpe:2.3:a:digium:asterisk:13.12.0
-
cpe:2.3:a:digium:asterisk:13.12.1
-
cpe:2.3:a:digium:asterisk:13.12.2
-
cpe:2.3:a:digium:asterisk:13.13.0
-
cpe:2.3:a:digium:asterisk:13.14.0
-
cpe:2.3:a:digium:asterisk:13.15.0
-
cpe:2.3:a:digium:asterisk:13.16.0
-
cpe:2.3:a:digium:asterisk:13.17.0
-
cpe:2.3:a:digium:asterisk:13.18.0
-
cpe:2.3:a:digium:asterisk:13.19.0
-
cpe:2.3:a:digium:asterisk:13.2.0
-
cpe:2.3:a:digium:asterisk:13.20.0
-
cpe:2.3:a:digium:asterisk:13.21.0
-
cpe:2.3:a:digium:asterisk:13.22.0
-
cpe:2.3:a:digium:asterisk:13.23.0
-
cpe:2.3:a:digium:asterisk:13.3.0
-
cpe:2.3:a:digium:asterisk:13.4.0
-
cpe:2.3:a:digium:asterisk:13.5.0
-
cpe:2.3:a:digium:asterisk:13.6.0
-
cpe:2.3:a:digium:asterisk:13.7.0
-
cpe:2.3:a:digium:asterisk:13.8.0
-
cpe:2.3:a:digium:asterisk:13.8.1
-
cpe:2.3:a:digium:asterisk:13.8.2
-
cpe:2.3:a:digium:asterisk:13.9.0
-
cpe:2.3:a:digium:asterisk:14.0.0
-
cpe:2.3:a:digium:asterisk:14.0.1
-
cpe:2.3:a:digium:asterisk:14.0.2
-
cpe:2.3:a:digium:asterisk:14.01
-
cpe:2.3:a:digium:asterisk:14.02
-
cpe:2.3:a:digium:asterisk:14.1
-
cpe:2.3:a:digium:asterisk:14.1.0
-
cpe:2.3:a:digium:asterisk:14.1.1
-
cpe:2.3:a:digium:asterisk:14.1.2
-
cpe:2.3:a:digium:asterisk:14.2
-
cpe:2.3:a:digium:asterisk:14.2.0
-
cpe:2.3:a:digium:asterisk:14.2.1
-
cpe:2.3:a:digium:asterisk:14.3.0
-
cpe:2.3:a:digium:asterisk:14.3.1
-
cpe:2.3:a:digium:asterisk:14.4.0
-
cpe:2.3:a:digium:asterisk:14.4.1
-
cpe:2.3:a:digium:asterisk:14.5.0
-
cpe:2.3:a:digium:asterisk:14.6.0
-
cpe:2.3:a:digium:asterisk:14.6.1
-
cpe:2.3:a:digium:asterisk:14.6.2
-
cpe:2.3:a:digium:asterisk:14.7.0
-
cpe:2.3:a:digium:asterisk:14.7.1
-
cpe:2.3:a:digium:asterisk:14.7.2
-
cpe:2.3:a:digium:asterisk:14.7.3
-
cpe:2.3:a:digium:asterisk:14.7.4
-
cpe:2.3:a:digium:asterisk:14.7.5
-
cpe:2.3:a:digium:asterisk:14.7.6
-
cpe:2.3:a:digium:asterisk:14.7.7
-
cpe:2.3:a:digium:asterisk:15.0.0
-
cpe:2.3:a:digium:asterisk:15.1.0
-
cpe:2.3:a:digium:asterisk:15.2.0
-
cpe:2.3:a:digium:asterisk:15.3.0
-
cpe:2.3:a:digium:asterisk:15.4.0
-
cpe:2.3:a:digium:asterisk:15.5.0
-
cpe:2.3:a:digium:asterisk:15.6.0
-
cpe:2.3:a:digium:certified_asterisk:11.6
-
cpe:2.3:a:digium:certified_asterisk:13.1
-
cpe:2.3:a:digium:certified_asterisk:13.13
-
cpe:2.3:a:digium:certified_asterisk:13.21
-
cpe:2.3:a:digium:certified_asterisk:13.8
-
cpe:2.3:o:debian:debian_linux:8.0
-
cpe:2.3:o:debian:debian_linux:9.0