Authentication flaw

2017-12-2717:08:00

PRIOn knowledge base

www.prio-n.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.929 High

EPSS

Percentile

99.0%

JSON

An issue was discovered in Asterisk 13.18.4 and older, 14.7.4 and older, 15.1.4 and older, and 13.18-cert1 and older. A select set of SIP messages create a dialog in Asterisk. Those SIP messages must contain a contact header. For those messages, if the header was not present and the PJSIP channel driver was used, Asterisk would crash. The severity of this vulnerability is somewhat mitigated if authentication is enabled. If authentication is enabled, a user would have to first be authorized before reaching the crash point.

CPENameOperatorVersion
asteriskge13.0.0
asteriskle13.18.4
asteriskge14.0.0
asteriskle14.7.4
asteriskge15.0.0
asteriskle15.1.4
certified_asteriskeq13.1.0 rc1
certified_asteriskeq13.8 cert1
certified_asteriskeq13.1.0
certified_asteriskeq13.1.0 rc2

Name	Operator	Version
asterisk	ge	13.0.0
asterisk	le	13.18.4
asterisk	ge	14.0.0
asterisk	le	14.7.4
asterisk	ge	15.0.0
asterisk	le	15.1.4
certified_asterisk	eq	13.1.0 rc1
certified_asterisk	eq	13.8 cert1
certified_asterisk	eq	13.1.0
certified_asterisk	eq	13.1.0 rc2