FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

asterisk -- Remote crash vulnerability in HTTP websocket upgrade

Affected packages
asterisk13 < 13.23.1
asterisk15 < 15.6.1


VuXML ID 77f67b46-bd75-11e8-81b6-001999f8d30b
Discovery 2018-08-16
Entry 2018-09-21

The Asterisk project reports:

There is a stack overflow vulnerability in the module of Asterisk that allows an attacker to crash Asterisk via a specially crafted HTTP request to upgrade the connection to a websocket. The attackers request causes Asterisk to run out of stack space and crash.

As a workaround disable HTTP websocket access by not loading the module.


CVE Name CVE-2018-17281