CVE-2017-17090

critical-risk
Published 2017-12-02

An issue was discovered in chan_skinny.c in Asterisk Open Source 13.18.2 and older, 14.7.2 and older, and 15.1.2 and older, and Certified Asterisk 13.13-cert7 and older. If the chan_skinny (aka SCCP protocol) channel driver is flooded with certain requests, it can cause the asterisk process to use excessive amounts of virtual memory, eventually causing asterisk to stop processing requests of any kind.

Do I need to act?

!
80.6% chance of exploitation in next 30 days
EPSS score — higher than 19% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
43992
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (13)

Affected Vendors

Digium

References (14)

Vendor Advisory http://downloads.digium.com/pub/security/AST-2017-013.html
Third Party Advisory http://www.securityfocus.com/bid/102023
http://www.securitytracker.com/id/1039948
Issue Tracking https://issues.asterisk.org/jira/browse/ASTERISK-27452
https://lists.debian.org/debian-lts-announce/2017/12/msg00028.html
https://www.debian.org/security/2017/dsa-4076
https://www.exploit-db.com/exploits/43992/
Vendor Advisory http://downloads.digium.com/pub/security/AST-2017-013.html
Third Party Advisory http://www.securityfocus.com/bid/102023
http://www.securitytracker.com/id/1039948
Issue Tracking https://issues.asterisk.org/jira/browse/ASTERISK-27452
https://lists.debian.org/debian-lts-announce/2017/12/msg00028.html
https://www.debian.org/security/2017/dsa-4076
https://www.exploit-db.com/exploits/43992/
70
/ 100
critical-risk
Severity 26/34 · High
Exploitability 27/34 · High
Exposure 17/34 · Moderate