CVE-2017-9358

high-risk
Published 2017-06-02

A memory exhaustion vulnerability exists in Asterisk Open Source 13.x before 13.15.1 and 14.x before 14.4.1 and Certified Asterisk 13.13 before 13.13-cert4, which can be triggered by sending specially crafted SCCP packets causing an infinite loop and leading to memory exhaustion (by message logging in that loop).

Do I need to act?

~
1.2% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (20)

Certified Asterisk
Certified Asterisk
Certified Asterisk

Affected Vendors

Asterisk Sangoma

References (8)

Third Party Advisory http://downloads.asterisk.org/pub/security/AST-2017-004.txt
Third Party Advisory http://www.securityfocus.com/bid/98573
http://www.securitytracker.com/id/1038531
Mailing List https://bugs.debian.org/863906
Third Party Advisory http://downloads.asterisk.org/pub/security/AST-2017-004.txt
Third Party Advisory http://www.securityfocus.com/bid/98573
http://www.securitytracker.com/id/1038531
Mailing List https://bugs.debian.org/863906
56
/ 100
high-risk
Severity 26/34 · High
Exploitability 4/34 · Minimal
Exposure 26/34 · High