[asterisk-security] AST-2018-009: Remote crash vulnerability in HTTP websocket upgrade

Asterisk Security Team security at asterisk.org
Thu Sep 20 15:59:10 CDT 2018


               Asterisk Project Security Advisory - AST-2018-009

         Product        Asterisk                                              
         Summary        Remote crash vulnerability in HTTP websocket upgrade  
    Nature of Advisory  Denial Of Service                                     
      Susceptibility    Remote Unauthenticated Sessions                       
         Severity       Moderate                                              
      Exploits Known    No                                                    
       Reported On      August 16, 2018                                       
       Reported By      Sean Bright                                           
        Posted On       
     Last Updated On    September 20, 2018                                    
     Advisory Contact   Rmudgett AT digium DOT com                            
         CVE Name       CVE-2018-17281                                        

    Description  There is a stack overflow vulnerability in the               
                 res_http_websocket.so module of Asterisk that allows an      
                 attacker to crash Asterisk via a specially crafted HTTP      
                 request to upgrade the connection to a websocket. The        
                 attacker’s request causes Asterisk to run out of stack       
                 space and crash.                                             

    Resolution  Disable HTTP websocket access by not loading the              
                res_http_websocket.so module or upgrade Asterisk to a fixed   
                version.                                                      

                               Affected Versions       
                         Product                       Release  
                                                       Series   
                  Asterisk Open Source                  13.x    All releases  
                  Asterisk Open Source                  14.x    All releases  
                  Asterisk Open Source                  15.x    All releases  
                   Certified Asterisk                   13.21   All releases  

                                  Corrected In
          Product                              Release                        
    Asterisk Open Source               13.23.1, 14.7.8, 15.6.1                
     Certified Asterisk                      13.21-cert3                      

                                     Patches                          
                                SVN URL                               Revision  
   http://downloads.asterisk.org/pub/security/AST-2018-009-13.diff    Asterisk  
                                                                      13        
   http://downloads.asterisk.org/pub/security/AST-2018-009-14.diff    Asterisk  
                                                                      14        
   http://downloads.asterisk.org/pub/security/AST-2018-009-15.diff    Asterisk  
                                                                      15        
   http://downloads.asterisk.org/pub/security/AST-2018-009-13.21.diff Certified 
                                                                      Asterisk  
                                                                      13.21     

    Links  https://issues.asterisk.org/jira/browse/ASTERISK-28013             

    Asterisk Project Security Advisories are posted at                        
    http://www.asterisk.org/security                                          
                                                                              
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    http://downloads.digium.com/pub/security/AST-2018-009.pdf and             
    http://downloads.digium.com/pub/security/AST-2018-009.html                

                                Revision History
                    Date                       Editor        Revisions Made   
    August 31, 2018                        Richard Mudgett  Initial revision  
    September 20, 2018                     Richard Mudgett  Added CVE name.   

               Asterisk Project Security Advisory - AST-2018-009
               Copyright © 2018 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.



More information about the asterisk-security mailing list