Product

Asterisk

Summary

DOS Vulnerability in Asterisk chan_skinny

Nature of Advisory

Denial of Service

Susceptibility

Remote Unauthenticated Sessions

Severity

Moderate

Exploits Known

Yes

Reported On

November 30, 2017

Reported By

Juan Sacco

Posted On

December 1, 2017

Last Updated On

December 4, 2017

Advisory Contact

gjoseph AT digium DOT com

CVE Name

CVE-2017-17090

Description

If the chan_skinny (AKA SCCP protocol) channel driver is flooded with certain requests it can cause the asterisk process to use excessive amounts of virtual memory eventually causing asterisk to stop processing requests of any kind.

Resolution

The chan_skinny driver has been updated to release memory allocations in a correct manner thereby preventing any possiblity of exhaustion.

Affected Versions

Product

Release Series

Asterisk Open Source

13.x

All Versions

Asterisk Open Source

14.x

All Versions

Asterisk Open Source

15.x

All Versions

Certified Asterisk

13.13

All Versions

Corrected In

Product

Release

Asterisk Open Source

13.18.3, 14.7.3, 15.1.3

Certified Asterisk

13.13-cert8

Patches

SVN URL

Revision

http://downloads.asterisk.org/pub/security/AST-2017-013-13.diff

Asterisk 13

http://downloads.asterisk.org/pub/security/AST-2017-013-14.diff

Asterisk 14

http://downloads.asterisk.org/pub/security/AST-2017-013-15.diff

Asterisk 15

http://downloads.asterisk.org/pub/security/AST-2017-013-13.13.diff

Certified Asterisk 13.13

Links

https://issues.asterisk.org/jira/browse/ASTERISK-27452

http://downloads.asterisk.org/pub/security/AST-2017-013.html

Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2017-013.pdf and http://downloads.digium.com/pub/security/AST-2017-013.html

Revision History

Date

Editor

Revisions Made

November 30, 2017

George Joseph

Initial Revision

December 4, 2017

George Joseph

Add CVE