#VU10713 Denial of service in Asterisk Open Source - CVE-2018-7286
Published: February 26, 2018 / Updated: June 17, 2021
Vulnerability identifier: #VU10713
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:P/U:Clear
CVE-ID: CVE-2018-7286
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
Asterisk Open Source
Asterisk Open Source
Software vendor:
Digium (Linux Support Services)
Digium (Linux Support Services)
Description
The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.
The weakness exists due to improper processing of INVITE messages received via the TCP or Transport Layer Security (TLS) protocols. A remote attacker can send a series of specially crafted INVITE messages over a TCP or TLS connection, trigger a segmentation fault and cause the system to crash.
The weakness exists due to improper processing of INVITE messages received via the TCP or Transport Layer Security (TLS) protocols. A remote attacker can send a series of specially crafted INVITE messages over a TCP or TLS connection, trigger a segmentation fault and cause the system to crash.
Remediation
Update to version 13.19.2, 14.7.6, 15.2.2.