CVE-2017-9372
high-risk
Published 2017-06-02
PJSIP, as used in Asterisk Open Source 13.x before 13.15.1 and 14.x before 14.4.1, Certified Asterisk 13.13 before 13.13-cert4, and other products, allows remote attackers to cause a denial of service (buffer overflow and application crash) via a SIP packet with a crafted CSeq header in conjunction with a Via header that lacks a branch parameter.
Do I need to act?
~
3.7% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (20)
Open Source
Open Source
Open Source
Open Source
Open Source
Open Source
Open Source
Open Source
Open Source
Open Source
Open Source
Open Source
Open Source
Open Source
Open Source
Open Source
Open Source
Open Source
Open Source
Open Source
Affected Vendors
References (10)
Third Party Advisory
http://downloads.asterisk.org/pub/security/AST-2017-002.txt
Third Party Advisory
http://www.securityfocus.com/bid/98572
Mailing List
https://bugs.debian.org/863901
Third Party Advisory
http://downloads.asterisk.org/pub/security/AST-2017-002.txt
Third Party Advisory
http://www.securityfocus.com/bid/98572
Mailing List
https://bugs.debian.org/863901
59
/ 100
high-risk
Severity
26/34 · High
Exploitability
7/34 · Low
Exposure
26/34 · High