CVE-2017-17850
Gentoo Linux Security Advisory 201811-11
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
An issue was discovered in Asterisk 13.18.4 and older, 14.7.4 and older, 15.1.4 and older, and 13.18-cert1 and older. A select set of SIP messages create a dialog in Asterisk. Those SIP messages must contain a contact header. For those messages, if the header was not present and the PJSIP channel driver was used, Asterisk would crash. The severity of this vulnerability is somewhat mitigated if authentication is enabled. If authentication is enabled, a user would have to first be authorized before reaching the crash point.
Se ha descubierto un problema en Asterisk en versiones 13.18.4 y anteriores, 14.7.4 y anteriores, 15.1.4 y anteriores y 13.18-cert1 y anteriores. Un conjunto de mensajes SIP seleccionados crean un diálogo en Asterisk. Estos mensajes SIP deben contener una cabecera contact. Para estos mensajes, si la cabecera no estuviera presente y se utilizase el controlador de canal PJSIP, Asterisk se cerraría de forma inesperada. La gravedad de esta vulnerabilidad se mitiga en cierta medida habilitando la autenticación. Si se habilita la autenticación, un usuario tendría que estar autorizado antes de alcanzar el punto de cierre inesperado.
Multiple vulnerabilities have been found in Asterisk, the worst of which could result in a Denial of Service condition. Versions less than 13.23.1 are affected.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-12-22 CVE Reserved
- 2017-12-23 CVE Published
- 2024-08-05 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| http://www.securitytracker.com/id/1040056 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://downloads.asterisk.org/pub/security/AST-2017-014.html | 2018-11-25 | |
| https://issues.asterisk.org/jira/browse/ASTERISK-27480 | 2018-11-25 | |
| https://security.gentoo.org/glsa/201811-11 | 2018-11-25 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Digium Search vendor "Digium" | Asterisk Search vendor "Digium" for product "Asterisk" | >= 13.0.0 <= 13.18.4 Search vendor "Digium" for product "Asterisk" and version " >= 13.0.0 <= 13.18.4" | - |
Affected
| ||||||
| Digium Search vendor "Digium" | Asterisk Search vendor "Digium" for product "Asterisk" | >= 14.0.0 <= 14.7.4 Search vendor "Digium" for product "Asterisk" and version " >= 14.0.0 <= 14.7.4" | - |
Affected
| ||||||
| Digium Search vendor "Digium" | Asterisk Search vendor "Digium" for product "Asterisk" | >= 15.0.0 <= 15.1.4 Search vendor "Digium" for product "Asterisk" and version " >= 15.0.0 <= 15.1.4" | - |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 13.1.0 Search vendor "Digium" for product "Certified Asterisk" and version "13.1.0" | - |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 13.1.0 Search vendor "Digium" for product "Certified Asterisk" and version "13.1.0" | rc1 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 13.1.0 Search vendor "Digium" for product "Certified Asterisk" and version "13.1.0" | rc2 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 13.8 Search vendor "Digium" for product "Certified Asterisk" and version "13.8" | cert1 |
Affected
| ||||||