Asterisk
Project Security Advisory -
|
Product |
Asterisk |
|
Summary |
Infinite loop when reading iostreams |
|
Nature of Advisory |
Denial of Service |
|
Susceptibility |
Remote Authenticated Sessions |
|
Severity |
Critical |
|
Exploits Known |
No |
|
Reported On |
April 16, 2018 |
|
Reported By |
Sean Bright |
|
Posted On |
June 11, 2018 |
|
Last Updated On |
|
|
Advisory Contact |
Kevin Harwell <kharwell AT digium DOT com> |
|
CVE Name |
CVE-2018-12228 |
|
Description |
When connected to Asterisk via TCP/TLS if the client abruptly disconnects, or sends a specially crafted message then Asterisk gets caught in an infinite loop while trying to read the data stream. Thus rendering the system as unusable.
|
|
Resolution |
Stricter error checking is now done when iostreams encounters a problem. When an error occurs during reading it is now properly handled, and continued reading is appropriately stopped.
|
|
Affected Versions |
||
|
Product |
Release Series |
|
|
Asterisk Open Source |
15.x |
All Releases |
|
|
|
|
|
Corrected In |
|
|
Product |
Release |
|
Asterisk Open Source |
15.4.1 |
|
|
|
|
Patches |
|
|
SVN URL |
Revision |
|
http://downloads.asterisk.org/pub/security/ |
Asterisk 15 |
|
|
|
|
Links |
https://issues.asterisk.org/jira/browse/ASTERISK-27807 |
|
Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later
versions; if so, the latest version will be posted at
http://downloads.digium.com/pub/security/ |
|
Revision History |
||
|
Date |
Editor |
Revisions Made |
|
April 25, 2018 |
Kevin Harwell |
Initial Revision |
|
June 12, 2018 |
Kevin Harwell |
Added CVE |
Asterisk
Project Security Advisory -
Copyright
©
Permission is hereby granted
to distribute and publish this advisory in its original, unaltered
form.