Tags › CVE-2018-7286
Asterisk PJSIP: crash via repeated INVITE messages over TCP/TLS
Published on Feb 22, 2018 in CVE-2018-7286, asterisk, pjsip, denial of service, security advisory
- Authors:
- Alfred Farrugia alfred@enablesecurity.com
- Sandro Gauci sandro@enablesecurity.com
- Latest vulnerable version: Asterisk 15.2.0 running
chan_pjsipinstalled with--with-pjproject-bundled - References: AST-2018-005, CVE-2018-7286
- Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2018-04-asterisk-pjsip-tcp-segfault/
- Vendor Advisory: http://downloads.asterisk.org/pub/security/AST-2018-005.html
- Tested vulnerable versions: 15.2.0, 15.1.0, 15.0.0, 13.19.0, 13.11.2, 14.7.5
- Timeline:
- Issue reported to vendor: 2018-01-24
- Vendor patch made available to us: 2018-02-05
- Vendor advisory published: 2018-02-21
- Enable Security advisory: 2018-02-22
Description
A crash occurs when a number of INVITE messages are sent over TCP or TLS and then the connection is suddenly closed. This issue leads to a segmentation fault.
…