Product

Asterisk

Summary

Remote crash vulnerability in HTTP websocket upgrade

Nature of Advisory

Denial Of Service

Susceptibility

Remote Unauthenticated Sessions

Severity

Moderate

Exploits Known

No

Reported On

August 16, 2018

Reported By

Sean Bright

Posted On

Last Updated On

September 20, 2018

Advisory Contact

Rmudgett AT digium DOT com

CVE Name

CVE-2018-17281

Description

There is a stack overflow vulnerability in the res_http_websocket.so module of Asterisk that allows an attacker to crash Asterisk via a specially crafted HTTP request to upgrade the connection to a websocket. The attacker’s request causes Asterisk to run out of stack space and crash.

Resolution

Disable HTTP websocket access by not loading the res_http_websocket.so module or upgrade Asterisk to a fixed version.

Affected Versions

Product

Release Series

Asterisk Open Source

13.x

All releases

Asterisk Open Source

14.x

All releases

Asterisk Open Source

15.x

All releases

Certified Asterisk

13.21

All releases

Corrected In

Product

Release

Asterisk Open Source

13.23.1, 14.7.8, 15.6.1

Certified Asterisk

13.21-cert3

Patches

SVN URL

Revision

http://downloads.asterisk.org/pub/security/AST-2018-009-13.diff

Asterisk 13

http://downloads.asterisk.org/pub/security/AST-2018-009-14.diff

Asterisk 14

http://downloads.asterisk.org/pub/security/AST-2018-009-15.diff

Asterisk 15

http://downloads.asterisk.org/pub/security/AST-2018-009-13.21.diff

Certified Asterisk 13.21

Links

https://issues.asterisk.org/jira/browse/ASTERISK-28013

Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2018-009.pdf and http://downloads.digium.com/pub/security/AST-2018-009.html

Revision History

Date

Editor

Revisions Made

August 31, 2018

Richard Mudgett

Initial revision

September 20, 2018

Richard Mudgett

Added CVE name.