SB2018050601 - Fedora 27 update for asterisk

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Improper input validation (CVE-ID: CVE-2018-7285)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to improper input validation. A remote attacker can send a specially crafted RTP data during SDP negotiation, trigger a payload number error and cause the service to crash.

2) Integer overflow (CVE-ID: CVE-2018-1000098)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in pjmedia SDP parsing due to integer overflow. A remote attacker can submit a specially crafted message, trigger memory corruption and cause the service to crash.

3) Buffer overflow (CVE-ID: CVE-2017-16671)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when setting the user field for Party B on a CDR. A remote unauthenticated attacker can send a specially-crafted request, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

4) Memory leak (CVE-ID: CVE-2017-16672)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to memory leak in pjsip session resource. A remote unauthenticated attacker can send a specially-crafted request, exhaust available memory and cause the system to crash.

Remediation

Install update from vendor's website.

References

• https://bodhi.fedoraproject.org/updates/FEDORA-2018-cf1dd2166b