Asterisk Security Team
2018-Feb-21 21:57 UTC
[asterisk-announce] AST-2018-005: Crash when large numbers of TCP connections are closed suddenly
Asterisk Project Security Advisory - AST-2018-005 Product Asterisk Summary Crash when large numbers of TCP connections are closed suddenly Nature of Advisory Remote Crash Susceptibility Remote Authenticated Sessions Severity Moderate Exploits Known No Reported On January 24, 2018 Reported By Sandro Gauci Posted On February 21, 2018 Last Updated On February 21, 2018 Advisory Contact gjoseph AT digium DOT com CVE Name CVE-2018-7286 Description A crash occurs when a number of authenticated INVITE messages are sent over TCP or TLS and then the connection is suddenly closed. This issue leads to a segmentation fault. Resolution A patch to asterisk is available that prevents the crash by locking the underlying transport until a response is sent. Affected Versions Product Release Series Asterisk Open Source 13.x All Versions Asterisk Open Source 14.x All Versions Asterisk Open Source 15.x All Versions Certified Asterisk 13.18 All Versions Corrected In Product Release Asterisk Open Source 13.19.2, 14.7.6, 15.2.2 Certified Asterisk 13.18-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2018-005-13.diff Asterisk 13 http://downloads.asterisk.org/pub/security/AST-2018-005-14.diff Asterisk 14 http://downloads.asterisk.org/pub/security/AST-2018-005-15.diff Asterisk 15 http://downloads.asterisk.org/pub/security/AST-2018-005-13.18.diff Certified Asterisk 13.18 Links https://issues.asterisk.org/jira/browse/ASTERISK-27618 http://downloads.asterisk.org/pub/security/AST-2018-005.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2018-005.pdf and http://downloads.digium.com/pub/security/AST-2018-005.html Revision History Date Editor Revisions Made February 6, 2018 George Joseph Initial Revision Asterisk Project Security Advisory - AST-2018-005 Copyright ?? 2018 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.
Possibly Parallel Threads
- AST-2018-002: Crash when given an invalid SDP media format description
- AST-2018-003: Crash with an invalid SDP fmtp attribute
- AST-2018-004: Crash when receiving SUBSCRIBE request
- Asterisk 13.19.2, 14.7.6, 15.2.2 and 13.18-cert3 Now Available (Security)
- AST-2017-004: Memory exhaustion on short SCCP packets