FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

asterisk -- Remote crash vulnerability in HTTP websocket upgrade

Affected packages
asterisk13 < 13.23.1
asterisk15 < 15.6.1

Details

VuXML ID 77f67b46-bd75-11e8-81b6-001999f8d30b
Discovery 2018-08-16
Entry 2018-09-21

The Asterisk project reports:

There is a stack overflow vulnerability in the res_http_websocket.so module of Asterisk that allows an attacker to crash Asterisk via a specially crafted HTTP request to upgrade the connection to a websocket. The attackers request causes Asterisk to run out of stack space and crash.

As a workaround disable HTTP websocket access by not loading the res_http_websocket.so module.

[source]

References

CVE Name CVE-2018-17281
URL https://downloads.asterisk.org/pub/security/AST-2018-009.html

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.