[asterisk-announce] AST-2018-006: WebSocket frames with 0 sized payload causes DoS

Asterisk Security Team security at asterisk.org
Wed Feb 21 15:57:22 CST 2018


               Asterisk Project Security Advisory - AST-2018-006

         Product        Asterisk                                              
         Summary        WebSocket frames with 0 sized payload causes DoS      
    Nature of Advisory  Denial of Service                                     
      Susceptibility    Remote Unauthenticated Sessions                       
         Severity       Moderate                                              
      Exploits Known    No                                                    
       Reported On      February 05, 2018                                     
       Reported By      Sean Bright                                           
        Posted On       February 21, 2018                                     
     Last Updated On    February 21, 2018                                     
     Advisory Contact   bford AT digium DOT com                               
         CVE Name       CVE-2018-7287                                         

    Description  When reading a websocket, the length was not being checked.  
                 If a payload of length 0 was read, it would result in a      
                 busy loop that waited for the underlying connection to       
                 close.                                                       

    Resolution  A patch to asterisk is available that checks for payloads of  
                size 0 before attempting to read them. By default, Asterisk   
                does not enable the HTTP server, which means it is not        
                vulnerable to this problem. If the HTTP server is enabled,    
                you can disable it if you do not need it. Otherwise, the      
                patch provided with this security vulnerability can be        
                applied. Either of these approaches will resolve the          
                problem.                                                      

                               Affected Versions       
                         Product                       Release  
                                                       Series   
                  Asterisk Open Source                  15.x    All versions  

                                  Corrected In         
                         Product                              Release         
                  Asterisk Open Source                        15.2.2          

                                    Patches                          
                                SVN URL                              Revision 
   http://downloads.asterisk.org/pub/security/AST-2018-006-15.diff   Asterisk 
                                                                     15       

    Links  https://issues.asterisk.org/jira/browse/ASTERISK-27658             
                                                                              
           http://downloads.asterisk.org/pub/security/AST-2018-006.html       

    Asterisk Project Security Advisories are posted at                        
    http://www.asterisk.org/security                                          
                                                                              
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    http://downloads.digium.com/pub/security/AST-2018-006.pdf and             
    http://downloads.digium.com/pub/security/AST-2018-006.html                

                                Revision History  
                        Date                       Editor    Revisions Made   
    February 15, 2018                             Ben Ford  Initial Revision  
    February 21, 2018                             Ben Ford  Added CVE Name    

               Asterisk Project Security Advisory - AST-2018-006
               Copyright © 2018 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.



More information about the asterisk-announce mailing list