Bird_banner_small4
Digium Asterisk Compound RTCP Out-Of-Bounds Write
TSL ID TSL20171214-02
CVE ID(s) CVE-2017-17664
Severity Moderate
Description

An out-of-bounds write vulnerability exists in Digium Asterisk. The vulnerability is due to improper handling of compound RTCP packets.

A remote, authenticated attacker can exploit this vulnerability by sending a specially crafted RTCP packet to the target server. Successful exploitation could cause denial-of-service conditions or, in the worst case, arbitrary code execution in the security context of Asterisk.

The vendor, Digium, has released the following advisory regarding this vulnerability:

http://downloads.asterisk.org/pub/security/AST-2017-012.html

Affected Products
  • Digium Asterisk Open Source 13.x prior to 13.18.4
  • Digium Asterisk Open Source 14.x prior to 14.7.4
  • Digium Asterisk Open Source 15.x prior to 15.1.4
  • Digium Certified Asterisk prior to 13.13-cert9
CVSS Score Base 7.5 (AV:N/AC:M/Au:S/C:P/I:P/A:C):
  • Access vector is NETWORK
  • Access complexity is MEDIUM
  • Level of authentication required is SINGLE
  • Impact of this vulnerability on data confidentiality is PARTIAL
  • Impact of this vulnerability on data integrity is PARTIAL
  • Impact of this vulnerability on data availability is COMPLETE
Temporal 5.5 (E:U/RL:OF/RC:C):
  • The exploitability level of this vulnerability is UNPROVEN
  • The remediation level of this vulnerability is OFFICIAL FIX
  • The report confidence level of this vulnerability is CONFIRMED
References http://downloads.asterisk.org/pub/security/AST-2017-012.html
Related Threats