Details of VAR-201706-0901

ID

VAR-201706-0901

CVE

CVE-2017-9358

TITLE

Asterisk Open Source and Certified Asterisk Vulnerable to resource exhaustion

Trust: 0.8

sources: JVNDB: JVNDB-2017-004594

DESCRIPTION

A memory exhaustion vulnerability exists in Asterisk Open Source 13.x before 13.15.1 and 14.x before 14.4.1 and Certified Asterisk 13.13 before 13.13-cert4, which can be triggered by sending specially crafted SCCP packets causing an infinite loop and leading to memory exhaustion (by message logging in that loop). Asterisk Open Source and Certified Asterisk Contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Multiple Asterisk products are prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause a denial-of-service condition

Trust: 1.89

sources: NVD: CVE-2017-9358 // JVNDB: JVNDB-2017-004594 // BID: 98573

AFFECTED PRODUCTS

vendor:	asterisk	model:	certified asterisk	scope:	eq	version:	13.13.0	Trust: 1.6
vendor:	sangoma	model:	asterisk	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	sangoma	model:	asterisk	scope:	eq	version:	13.14.0	Trust: 1.0
vendor:	sangoma	model:	asterisk	scope:	eq	version:	13.3.0	Trust: 1.0
vendor:	sangoma	model:	asterisk	scope:	eq	version:	13.8.0	Trust: 1.0
vendor:	sangoma	model:	asterisk	scope:	eq	version:	14.2.1	Trust: 1.0
vendor:	sangoma	model:	asterisk	scope:	eq	version:	14.4.0	Trust: 1.0
vendor:	sangoma	model:	asterisk	scope:	eq	version:	13.10.0	Trust: 1.0
vendor:	sangoma	model:	asterisk	scope:	eq	version:	13.8.2	Trust: 1.0
vendor:	sangoma	model:	asterisk	scope:	eq	version:	13.6.0	Trust: 1.0
vendor:	sangoma	model:	asterisk	scope:	eq	version:	13.11.0	Trust: 1.0
vendor:	sangoma	model:	asterisk	scope:	eq	version:	13.1.0	Trust: 1.0
vendor:	sangoma	model:	asterisk	scope:	eq	version:	13.12.0	Trust: 1.0
vendor:	sangoma	model:	asterisk	scope:	eq	version:	13.15.0	Trust: 1.0
vendor:	sangoma	model:	asterisk	scope:	eq	version:	14.0.0	Trust: 1.0
vendor:	sangoma	model:	asterisk	scope:	eq	version:	13.5.0	Trust: 1.0
vendor:	sangoma	model:	asterisk	scope:	eq	version:	14.2.0	Trust: 1.0
vendor:	sangoma	model:	asterisk	scope:	eq	version:	13.12.1	Trust: 1.0
vendor:	sangoma	model:	asterisk	scope:	eq	version:	13.13.0	Trust: 1.0
vendor:	sangoma	model:	asterisk	scope:	eq	version:	13.7.0	Trust: 1.0
vendor:	sangoma	model:	asterisk	scope:	eq	version:	13.8.1	Trust: 1.0
vendor:	sangoma	model:	asterisk	scope:	eq	version:	13.12.2	Trust: 1.0
vendor:	sangoma	model:	asterisk	scope:	eq	version:	13.4.0	Trust: 1.0
vendor:	sangoma	model:	asterisk	scope:	eq	version:	13.2.0	Trust: 1.0
vendor:	sangoma	model:	asterisk	scope:	eq	version:	14.3.0	Trust: 1.0
vendor:	sangoma	model:	asterisk	scope:	eq	version:	13.9.0	Trust: 1.0
vendor:	sangoma	model:	asterisk	scope:	eq	version:	13.0.0	Trust: 1.0
vendor:	digium	model:	asterisk open source	scope:	lt	version:	14.x	Trust: 0.8
vendor:	digium	model:	certified asterisk	scope:	eq	version:	13.13-cert4	Trust: 0.8
vendor:	digium	model:	certified asterisk	scope:	lt	version:	13.13	Trust: 0.8
vendor:	digium	model:	asterisk open source	scope:	eq	version:	13.15.1	Trust: 0.8
vendor:	digium	model:	asterisk open source	scope:	eq	version:	14.4.1	Trust: 0.8
vendor:	digium	model:	asterisk open source	scope:	lt	version:	13.x	Trust: 0.8
vendor:	asterisk	model:	open source	scope:	eq	version:	14.1.0	Trust: 0.6
vendor:	asterisk	model:	open source	scope:	eq	version:	14.2.0	Trust: 0.6
vendor:	asterisk	model:	open source	scope:	eq	version:	14.4.0	Trust: 0.6
vendor:	asterisk	model:	open source	scope:	eq	version:	14.3.0	Trust: 0.6
vendor:	asterisk	model:	open source	scope:	eq	version:	14.0.0	Trust: 0.6
vendor:	asterisk	model:	certified asterisk 13.13-cert3	scope:	-	version:	-	Trust: 0.3
vendor:	asterisk	model:	certified asterisk	scope:	eq	version:	13.13	Trust: 0.3
vendor:	asterisk	model:	open source	scope:	eq	version:	13.7.1	Trust: 0.3
vendor:	asterisk	model:	open source	scope:	eq	version:	13.3.2	Trust: 0.3
vendor:	asterisk	model:	open source	scope:	eq	version:	13.0.1	Trust: 0.3
vendor:	asterisk	model:	open source	scope:	eq	version:	14.0	Trust: 0.3
vendor:	asterisk	model:	open source	scope:	eq	version:	13.8.1	Trust: 0.3
vendor:	asterisk	model:	open source	scope:	eq	version:	13.1.1	Trust: 0.3
vendor:	asterisk	model:	open source	scope:	eq	version:	13.0.2	Trust: 0.3
vendor:	asterisk	model:	open source	scope:	eq	version:	13.0	Trust: 0.3
vendor:	asterisk	model:	certified asterisk 13.13-cert4	scope:	ne	version:	-	Trust: 0.3
vendor:	asterisk	model:	open source	scope:	ne	version:	14.4.1	Trust: 0.3
vendor:	asterisk	model:	open source	scope:	ne	version:	13.15.1	Trust: 0.3

sources: BID: 98573 // JVNDB: JVNDB-2017-004594 // CNNVD: CNNVD-201706-060 // NVD: CVE-2017-9358

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-9358
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-9358
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201706-060
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2017-9358
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

nvd@nist.gov:	CVE-2017-9358
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: JVNDB: JVNDB-2017-004594 // CNNVD: CNNVD-201706-060 // NVD: CVE-2017-9358

PROBLEMTYPE DATA

problemtype:	CWE-835	Trust: 1.0
problemtype:	CWE-400	Trust: 0.8

sources: JVNDB: JVNDB-2017-004594 // NVD: CVE-2017-9358

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201706-060

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201706-060

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-004594

PATCH

title:	AST-2017-004	url:	http://downloads.asterisk.org/pub/security/AST-2017-004.txt	Trust: 0.8
title:	863906	url:	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863906	Trust: 0.8
title:	Digium Asterisk Open Source and Certified Asterisk Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=70679	Trust: 0.6

sources: JVNDB: JVNDB-2017-004594 // CNNVD: CNNVD-201706-060

EXTERNAL IDS

db:	NVD	id:	CVE-2017-9358	Trust: 2.7
db:	BID	id:	98573	Trust: 1.9
db:	SECTRACK	id:	1038531	Trust: 1.6
db:	JVNDB	id:	JVNDB-2017-004594	Trust: 0.8
db:	CNNVD	id:	CNNVD-201706-060	Trust: 0.6

sources: BID: 98573 // JVNDB: JVNDB-2017-004594 // CNNVD: CNNVD-201706-060 // NVD: CVE-2017-9358

REFERENCES

url:	http://downloads.asterisk.org/pub/security/ast-2017-004.txt	Trust: 1.6
url:	http://www.securityfocus.com/bid/98573	Trust: 1.6
url:	http://www.securitytracker.com/id/1038531	Trust: 1.6
url:	https://bugs.debian.org/863906	Trust: 1.6
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9358	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-9358	Trust: 0.8
url:	http://seclists.org/fulldisclosure/2017/may/76	Trust: 0.3
url:	http://www.asterisk.org/	Trust: 0.3
url:	http://downloads.asterisk.org/pub/security/ast-2017-004.html	Trust: 0.3

sources: BID: 98573 // JVNDB: JVNDB-2017-004594 // CNNVD: CNNVD-201706-060 // NVD: CVE-2017-9358

CREDITS

Sandro Gauci

Trust: 0.3

sources: BID: 98573

SOURCES

db:	BID	id:	98573
db:	JVNDB	id:	JVNDB-2017-004594
db:	CNNVD	id:	CNNVD-201706-060
db:	NVD	id:	CVE-2017-9358

LAST UPDATE DATE

2024-11-23T22:45:38.645000+00:00

SOURCES UPDATE DATE

db:	BID	id:	98573	date:	2017-06-02T18:01:00
db:	JVNDB	id:	JVNDB-2017-004594	date:	2017-06-30T00:00:00
db:	CNNVD	id:	CNNVD-201706-060	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2017-9358	date:	2024-11-21T03:35:54.630

SOURCES RELEASE DATE

db:	BID	id:	98573	date:	2017-04-13T00:00:00
db:	JVNDB	id:	JVNDB-2017-004594	date:	2017-06-30T00:00:00
db:	CNNVD	id:	CNNVD-201706-060	date:	2017-06-02T00:00:00
db:	NVD	id:	CVE-2017-9358	date:	2017-06-02T05:29:00.700