Asterisk Project Security Advisory - AST-2018-005

Product

Asterisk

Summary

Crash when large numbers of TCP connections are closed suddenly

Nature of Advisory

Remote Crash

Susceptibility

Remote Authenticated Sessions

Severity

Moderate

Exploits Known

No

Reported On

January 24, 2018

Reported By

Sandro Gauci

Posted On

February 21, 2018

Last Updated On

February 21, 2018

Advisory Contact

gjoseph AT digium DOT com

CVE Name

CVE-2018-7286



Description

A crash occurs when a number of authenticated INVITE messages are sent over TCP or TLS and then the connection is suddenly closed. This issue leads to a segmentation fault.


Resolution

A patch to asterisk is available that prevents the crash by locking the underlying transport until a response is sent.



Affected Versions

Product

Release Series


Asterisk Open Source

13.x

All Versions

Asterisk Open Source

14.x

All Versions

Asterisk Open Source

15.x

All Versions

Certified Asterisk

13.18

All Versions


Corrected In

Product

Release

Asterisk Open Source

13.19.2, 14.7.6, 15.2.2

Certified Asterisk

13.18-cert3


Patches

SVN URL

Revision

http://downloads.asterisk.org/pub/security/AST-2018-005-13.diff

Asterisk 13

http://downloads.asterisk.org/pub/security/AST-2018-005-14.diff

Asterisk 14

http://downloads.asterisk.org/pub/security/AST-2018-005-15.diff

Asterisk 15

http://downloads.asterisk.org/pub/security/AST-2018-005-13.18.diff

Certified Asterisk 13.18



Links

https://issues.asterisk.org/jira/browse/ASTERISK-27618

http://downloads.asterisk.org/pub/security/AST-2018-005.html


Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2018-005.pdf and http://downloads.digium.com/pub/security/AST-2018-005.html


Revision History

Date

Editor

Revisions Made

February 6, 2018

George Joseph

Initial Revision





Asterisk Project Security Advisory - AST-2018-005
Copyright © 2018 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.