This site is deprecated. Please
CLICK HERE for latest updates
Short Name |
HTTP:DOS:ASTERISK-UPGRD-2
|
Severity |
Major
|
Recommended |
Yes
|
Recommended Action |
Drop
|
Category |
HTTP
|
Keywords |
Digium Asterisk res_http_websocket HTTP Upgrade Request Denial of Service 2
|
Release Date |
2019/06/04
|
Update Number |
3177
|
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+
|
HTTP: Digium Asterisk res_http_websocket HTTP Upgrade Request Denial of Service 2
A denial-of-service vulnerability has been reported in Digium Asterisk. The vulnerability is due to improper handling of HTTP Upgrade requests during initial WebSocket connection establishment within the res_http_websocket module of Asterisk. A remote attacker could exploit this vulnerability by sending crafted HTTP requests to the target server. Successful exploitation could result in a denial-of-service condition.
Extended Description
There is a stack consumption vulnerability in the res_http_websocket.so module of Asterisk through 13.23.0, 14.7.x through 14.7.7, and 15.x through 15.6.0 and Certified Asterisk through 13.21-cert2. It allows an attacker to crash Asterisk via a specially crafted HTTP request to upgrade the connection to a websocket.
Affected Products
- Debian debian_linux 8.0
- Debian debian_linux 9.0
- Digium asterisk 13.0.0
- Digium asterisk 13.1.0
- Digium asterisk 13.10.0
- Digium asterisk 13.11.0
- Digium asterisk 13.12.0
- Digium asterisk 13.12.1
- Digium asterisk 13.12.2
- Digium asterisk 13.13.0
- Digium asterisk 13.14.0
- Digium asterisk 13.15.0
- Digium asterisk 13.16.0
- Digium asterisk 13.17.0
- Digium asterisk 13.18.0
- Digium asterisk 13.19.0
- Digium asterisk 13.2.0
- Digium asterisk 13.20.0
- Digium asterisk 13.21.0
- Digium asterisk 13.22.0
- Digium asterisk 13.23.0
- Digium asterisk 13.3.0
- Digium asterisk 13.4.0
- Digium asterisk 13.5.0
- Digium asterisk 13.6.0
- Digium asterisk 13.7.0
- Digium asterisk 13.8.0
- Digium asterisk 13.8.1
- Digium asterisk 13.8.2
- Digium asterisk 13.9.0
- Digium asterisk 14.0.0
- Digium asterisk 14.01
- Digium asterisk 14.0.1
- Digium asterisk 14.02
- Digium asterisk 14.0.2
- Digium asterisk 14.1
- Digium asterisk 14.1.0
- Digium asterisk 14.1.1
- Digium asterisk 14.1.2
- Digium asterisk 14.2
- Digium asterisk 14.2.0
- Digium asterisk 14.2.1
- Digium asterisk 14.3.0
- Digium asterisk 14.3.1
- Digium asterisk 14.4.0
- Digium asterisk 14.4.1
- Digium asterisk 14.5.0
- Digium asterisk 14.6.0
- Digium asterisk 14.6.1
- Digium asterisk 14.6.2
- Digium asterisk 14.7.0
- Digium asterisk 14.7.1
- Digium asterisk 14.7.2
- Digium asterisk 14.7.3
- Digium asterisk 14.7.4
- Digium asterisk 14.7.5
- Digium asterisk 14.7.6
- Digium asterisk 14.7.7
- Digium asterisk 15.0.0
- Digium asterisk 15.1.0
- Digium asterisk 15.2.0
- Digium asterisk 15.3.0
- Digium asterisk 15.4.0
- Digium asterisk 15.5.0
- Digium asterisk 15.6.0
- Digium certified_asterisk 11.6
- Digium certified_asterisk 13.1
- Digium certified_asterisk 13.13
- Digium certified_asterisk 13.21
- Digium certified_asterisk 13.8
References