Asterisk Project Security Advisory - AST-2017-004 Product Asterisk Summary Memory exhaustion on short SCCP packets Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated Sessions Severity Critical Exploits Known No Reported On April 13, 2017 Reported By Sandro Gauci Posted On Last Updated On April 13, 2017 Advisory Contact George Joseph CVE Name Description A remote memory exhaustion can be triggered by sending an SCCP packet to Asterisk system with “chan_skinny” enabled that is larger than the length of the SCCP header but smaller than the packet length specified in the header. The loop that reads the rest of the packet doesn’t detect that the call to read() returned end-of-file before the expected number of bytes and continues infinitely. The “partial data” message logging in that tight loop causes Asterisk to exhaust all available memory. Resolution If support for the SCCP protocol is not required, remove or disable the module. If support for SCCP is required, an upgrade to Asterisk will be necessary. Affected Versions Product Release Series Asterisk Open Source 11.x Unaffected Asterisk Open Source 13.x All versions Asterisk Open Source 14.x All versions Certified Asterisk 13.13 All versions Corrected In Product Release Asterisk Open Source 13.15.1, 14.4.1 Certified Asterisk 13.13-cert4 Patches SVN URL Revision Links Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/.pdf and http://downloads.digium.com/pub/security/.html Revision History Date Editor Revisions Made 13 April 2017 George Joseph Initial report created Asterisk Project Security Advisory - Copyright © 2017 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.