Juniper Networks
Solutions
Products & Services
Company
Partners
Support
Education

Signature Detail

Security Intelligence Center
Signatures
Print

This site is deprecated. Please CLICK HERE for latest updates

Short Name

 HTTP:DOS:ASTERISK-UPGRD

Severity

 Major

Recommended

 Yes

Recommended Action

 Drop

Category

 HTTP

Keywords

 Digium Asterisk res_http_websocket HTTP Upgrade Request Denial of Service

Release Date

 2018/11/26

Update Number

 3120

Supported Platforms

 srx-12.1+, srx-branch-12.1+, vsrx-12.1+, vsrx3bsd-18.2+

HTTP: Digium Asterisk res_http_websocket HTTP Upgrade Request Denial of Service


A denial-of-service vulnerability has been reported in Digium Asterisk. The vulnerability is due to improper handling of HTTP Upgrade requests during initial WebSocket connection establishment within the res_http_websocket module of Asterisk. A remote attacker could exploit this vulnerability by sending crafted HTTP requests to the target server. Successful exploitation could result in a denial-of-service condition.

Extended Description

There is a stack consumption vulnerability in the res_http_websocket.so module of Asterisk through 13.23.0, 14.7.x through 14.7.7, and 15.x through 15.6.0 and Certified Asterisk through 13.21-cert2. It allows an attacker to crash Asterisk via a specially crafted HTTP request to upgrade the connection to a websocket.

Affected Products

  • Debian debian_linux 8.0
  • Debian debian_linux 9.0
  • Digium asterisk 13.0.0
  • Digium asterisk 13.1.0
  • Digium asterisk 13.10.0
  • Digium asterisk 13.11.0
  • Digium asterisk 13.12.0
  • Digium asterisk 13.12.1
  • Digium asterisk 13.12.2
  • Digium asterisk 13.13.0
  • Digium asterisk 13.14.0
  • Digium asterisk 13.15.0
  • Digium asterisk 13.16.0
  • Digium asterisk 13.17.0
  • Digium asterisk 13.18.0
  • Digium asterisk 13.19.0
  • Digium asterisk 13.2.0
  • Digium asterisk 13.20.0
  • Digium asterisk 13.21.0
  • Digium asterisk 13.22.0
  • Digium asterisk 13.23.0
  • Digium asterisk 13.3.0
  • Digium asterisk 13.4.0
  • Digium asterisk 13.5.0
  • Digium asterisk 13.6.0
  • Digium asterisk 13.7.0
  • Digium asterisk 13.8.0
  • Digium asterisk 13.8.1
  • Digium asterisk 13.8.2
  • Digium asterisk 13.9.0
  • Digium asterisk 14.0.0
  • Digium asterisk 14.01
  • Digium asterisk 14.0.1
  • Digium asterisk 14.02
  • Digium asterisk 14.0.2
  • Digium asterisk 14.1
  • Digium asterisk 14.1.0
  • Digium asterisk 14.1.1
  • Digium asterisk 14.1.2
  • Digium asterisk 14.2
  • Digium asterisk 14.2.0
  • Digium asterisk 14.2.1
  • Digium asterisk 14.3.0
  • Digium asterisk 14.3.1
  • Digium asterisk 14.4.0
  • Digium asterisk 14.4.1
  • Digium asterisk 14.5.0
  • Digium asterisk 14.6.0
  • Digium asterisk 14.6.1
  • Digium asterisk 14.6.2
  • Digium asterisk 14.7.0
  • Digium asterisk 14.7.1
  • Digium asterisk 14.7.2
  • Digium asterisk 14.7.3
  • Digium asterisk 14.7.4
  • Digium asterisk 14.7.5
  • Digium asterisk 14.7.6
  • Digium asterisk 14.7.7
  • Digium asterisk 15.0.0
  • Digium asterisk 15.1.0
  • Digium asterisk 15.2.0
  • Digium asterisk 15.3.0
  • Digium asterisk 15.4.0
  • Digium asterisk 15.5.0
  • Digium asterisk 15.6.0
  • Digium certified_asterisk 11.6
  • Digium certified_asterisk 13.1
  • Digium certified_asterisk 13.13
  • Digium certified_asterisk 13.21
  • Digium certified_asterisk 13.8

References

  • CVE: CVE-2018-17281
  • URL: http://downloads.asterisk.org/pub/security/ast-2018-009.html

Site Map
RSS Feeds
Careers
Accessibility
Feedback
Privacy Policy
Legal Notices
Copyright © 1999-2010 Juniper Networks, Inc. All rights reserved.
Help
|
My Account
|
Log Out