CVE-2017-17090
Asterisk 13.17.2 - 'chan_skinny' Remote Memory Corruption
Severity Score
7.5
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
An issue was discovered in chan_skinny.c in Asterisk Open Source 13.18.2 and older, 14.7.2 and older, and 15.1.2 and older, and Certified Asterisk 13.13-cert7 and older. If the chan_skinny (aka SCCP protocol) channel driver is flooded with certain requests, it can cause the asterisk process to use excessive amounts of virtual memory, eventually causing asterisk to stop processing requests of any kind.
Se ha descubierto un problema en chan_skinny.c en Asterisk Open Source en versiones 13.18.2 y anteriores, 14.7.2 y anteriores y 15.1.2 y anteriores y en Certified Asterisk 13.13-cert7 y anteriores. Si el controlador de canal chan_skinny (tambiƩn conocido como protocolo SCCP) se inunda a base de determinadas peticiones, puede provocar que el proceso de asterisk utilice cantidades excesivas de memoria virtual, finalmente provocando que asterisk deje de procesar cualquier tipo de peticiones.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2017-12-01 CVE Reserved
- 2017-12-02 CVE Published
- 2023-06-03 EPSS Updated
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-459: Incomplete Cleanup
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/102023 | Third Party Advisory | |
| http://www.securitytracker.com/id/1039948 | Vdb Entry | |
| https://lists.debian.org/debian-lts-announce/2017/12/msg00028.html | Mailing List |
|
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/43992 | 2024-08-05 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://downloads.digium.com/pub/security/AST-2017-013.html | 2019-10-03 | |
| https://issues.asterisk.org/jira/browse/ASTERISK-27452 | 2019-10-03 | |
| https://www.debian.org/security/2017/dsa-4076 | 2019-10-03 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | <= 13.13 Search vendor "Digium" for product "Certified Asterisk" and version " <= 13.13" | - |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 13.13 Search vendor "Digium" for product "Certified Asterisk" and version "13.13" | cert1 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 13.13 Search vendor "Digium" for product "Certified Asterisk" and version "13.13" | cert1_rc1 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 13.13 Search vendor "Digium" for product "Certified Asterisk" and version "13.13" | cert1_rc2 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 13.13 Search vendor "Digium" for product "Certified Asterisk" and version "13.13" | cert1_rc3 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 13.13 Search vendor "Digium" for product "Certified Asterisk" and version "13.13" | cert1_rc4 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 13.13 Search vendor "Digium" for product "Certified Asterisk" and version "13.13" | cert2 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 13.13 Search vendor "Digium" for product "Certified Asterisk" and version "13.13" | cert3 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 13.13 Search vendor "Digium" for product "Certified Asterisk" and version "13.13" | cert4 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 13.13 Search vendor "Digium" for product "Certified Asterisk" and version "13.13" | cert5 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 13.13 Search vendor "Digium" for product "Certified Asterisk" and version "13.13" | cert6 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 13.13 Search vendor "Digium" for product "Certified Asterisk" and version "13.13" | cert7 |
Affected
| ||||||
| Digium Search vendor "Digium" | Asterisk Search vendor "Digium" for product "Asterisk" | <= 13.8.2 Search vendor "Digium" for product "Asterisk" and version " <= 13.8.2" | - |
Affected
| ||||||
| Digium Search vendor "Digium" | Asterisk Search vendor "Digium" for product "Asterisk" | <= 14.7.2 Search vendor "Digium" for product "Asterisk" and version " <= 14.7.2" | - |
Affected
| ||||||
| Digium Search vendor "Digium" | Asterisk Search vendor "Digium" for product "Asterisk" | <= 15.1.2 Search vendor "Digium" for product "Asterisk" and version " <= 15.1.2" | - |
Affected
| ||||||