|
|
|||
| Rule General Information |
|---|
| Release Date: | 2018-11-05 | |
| Rule Name: | Digium Asterisk res_http_websocket HTTP Upgrade Request Denial of Service Vulnerability(CVE-2018-17281) | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | There is a stack consumption vulnerability in the res_http_websocket.so module of Asterisk through 13.23.0, 14.7.x through 14.7.7, and 15.x through 15.6.0 and Certified Asterisk through 13.21-cert2. It allows an attacker to crash Asterisk via a specially crafted HTTP request to upgrade the connection to a websocket. | |
| Impact: | An attacker can launch a denial of service attack by exploiting the vulnerability successfully. | |
| Affected OS: | Network Device, Solaris, FreeBSD, Windows, Mac OS, iOS, Other Unix, Linux, Others, Android | |
| Reference: | http://downloads.asterisk.org/pub/security/AST-2018-009.html http://packetstormsecurity.com/files/149453/Asterisk-Project-Security-Advisory-AST-2018-009.html http://seclists.org/fulldisclosure/2018/Sep/31 SecurityFocusBID:105389 SecurityTrackerID:1041694 https://issues.asterisk.org/jira/browse/ASTERISK-28013 https://lists.debian.org/debian-lts-announce/2018/09/msg00034.html https://seclists.org/bugtraq/2018/Sep/53 https://www.debian.org/security/2018/dsa-4320 |
|
| Solutions |
|---|
| The vendor has issued a fix (13.23.1, 14.7.8, 15.6.1). The vendor advisory is available at http://downloads.asterisk.org/pub/security/AST-2018-009.html |