Asterisk Security Team
2017-Aug-31 19:32 UTC
[asterisk-announce] AST-2017-007: Remote Crash Vulerability in res_pjsip
Asterisk Project Security Advisory - AST-2017-007 Product Asterisk Summary Remote Crash Vulerability in res_pjsip Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated Sessions Severity Moderate Exploits Known No Reported On August 30, 2017 Reported By Ross Beer Posted On Last Updated On August 30, 2017 Advisory Contact George Joseph <gjoseph AT digium DOT com> CVE Name Description A carefully crafted URI in a From, To or Contact header could cause Asterisk to crash. Resolution Patched pjsip_message_ip_updater to properly ignore the trigger URI. Affected Versions Product Release Series Asterisk Open Source 13.15.0 Asterisk Open Source 14.4.0 Corrected In Product Release Asterisk Open Source 13.17.1, 14.6.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2017-007-13.diff Asterisk 13 http://downloads.asterisk.org/pub/security/AST-2017-007-14.diff Asterisk 14 Links https://issues.asterisk.org/jira/browse/ASTERISK-27152 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/.pdf and http://downloads.digium.com/pub/security/.html Revision History Date Editor Revisions Made August 30, 2017 George Joseph Initial document created Asterisk Project Security Advisory - Copyright (c) 2017 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.
Apparently Analagous Threads
- AST-2019-007: AMI user could execute system commands.
- AST-2017-006: Shell access command injection in app_minivm
- AST-2017-005: Media takeover in RTP stack
- AST-2017-013: DOS Vulnerability in Asterisk chan_skinny
- AST-2017-004: Memory exhaustion on short SCCP packets