CVE-2017-17850

Published Dec 27, 2017

Last updated 6 years ago

CVSS high 7.5

Overview

Description: An issue was discovered in Asterisk 13.18.4 and older, 14.7.4 and older, 15.1.4 and older, and 13.18-cert1 and older. A select set of SIP messages create a dialog in Asterisk. Those SIP messages must contain a contact header. For those messages, if the header was not present and the PJSIP channel driver was used, Asterisk would crash. The severity of this vulnerability is somewhat mitigated if authentication is enabled. If authentication is enabled, a user would have to first be authorized before reaching the crash point.
Source: cve@mitre.org
NVD status: Modified

Risk scores

CVSS 3.0

Type: Primary
Base score: 7.5
Impact score: 3.6
Exploitability score: 3.9
Vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity: HIGH

CVSS 2.0

Type: Primary
Base score: 5
Impact score: 2.9
Exploitability score: 10
Vector string: AV:N/AC:L/Au:N/C:N/I:N/A:P

Weaknesses

nvd@nist.gov: CWE-20

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "FEE78C41-D7BE-4910-BB77-3DFB63690382",
            "versionEndIncluding": "13.18.4",
            "versionStartIncluding": "13.0.0"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A845013E-DD73-45F2-A962-6F0A580A4E95",
            "versionEndIncluding": "14.7.4",
            "versionStartIncluding": "14.0.0"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "09447B7F-89BA-4FD5-8E6F-A166681A22F7",
            "versionEndIncluding": "15.1.4",
            "versionStartIncluding": "15.0.0"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:digium:certified_asterisk:13.1.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9F68ED1E-8D2B-4AEE-B5DE-FD50338BA82D"
          },
          {
            "criteria": "cpe:2.3:a:digium:certified_asterisk:13.1.0:rc1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EA9F296A-4932-4EA4-8B38-80856A9D6374"
          },
          {
            "criteria": "cpe:2.3:a:digium:certified_asterisk:13.1.0:rc2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B40673A6-2980-440A-B78E-D5C7095E3FA6"
          },
          {
            "criteria": "cpe:2.3:a:digium:certified_asterisk:13.8:cert1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "38E19C8E-9FD6-4A44-81C6-EEC91BC2CB58"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.0

CVSS 2.0

Weaknesses

Social media

Configurations

References