[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] AST-2018-006: WebSocket frames with 0 sized payload causes DoS

               Asterisk Project Security Advisory - AST-2018-006

         Product        Asterisk                                              
         Summary        WebSocket frames with 0 sized payload causes DoS      
    Nature of Advisory  Denial of Service                                     
      Susceptibility    Remote Unauthenticated Sessions                       
         Severity       Moderate                                              
      Exploits Known    No                                                    
       Reported On      February 05, 2018                                     
       Reported By      Sean Bright                                           
        Posted On       February 21, 2018                                     
     Last Updated On    February 21, 2018                                     
     Advisory Contact   bford AT digium DOT com                               
         CVE Name       CVE-2018-7287                                         

    Description  When reading a websocket, the length was not being checked.  
                 If a payload of length 0 was read, it would result in a      
                 busy loop that waited for the underlying connection to       

    Resolution  A patch to asterisk is available that checks for payloads of  
                size 0 before attempting to read them. By default, Asterisk   
                does not enable the HTTP server, which means it is not        
                vulnerable to this problem. If the HTTP server is enabled,    
                you can disable it if you do not need it. Otherwise, the      
                patch provided with this security vulnerability can be        
                applied. Either of these approaches will resolve the          

                               Affected Versions       
                         Product                       Release  
                  Asterisk Open Source                  15.x    All versions  

                                  Corrected In         
                         Product                              Release         
                  Asterisk Open Source                        15.2.2          

                                SVN URL                              Revision 
   http://downloads.asterisk.org/pub/security/AST-2018-006-15.diff   Asterisk 

    Links  https://issues.asterisk.org/jira/browse/ASTERISK-27658             

    Asterisk Project Security Advisories are posted at                        
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    http://downloads.digium.com/pub/security/AST-2018-006.pdf and             

                                Revision History  
                        Date                       Editor    Revisions Made   
    February 15, 2018                             Ben Ford  Initial Revision  
    February 21, 2018                             Ben Ford  Added CVE Name    

               Asterisk Project Security Advisory - AST-2018-006
               Copyright © 2018 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.
Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/