CVE-2017-17664

Current Description

A Remote Crash issue was discovered in Asterisk Open Source 13.x before 13.18.4, 14.x before 14.7.4, and 15.x before 15.1.4 and Certified Asterisk before 13.13-cert9. Certain compound RTCP packets cause a crash in the RTCP Stack.

Basic Data

Published	December 13, 2017
Last Modified	January 02, 2018
Assigner	cve@mitre.org
Data Type	CVE
Data Format	MITRE
Data Version	4.0
Problem Type	CWE-119
CVE Data Version	4.0

Base Metric V2

CVSS 2 - Version	2.0
CVSS 2 - Vector String	AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSS 2 - Access Vector	NETWORK
CVSS 2 - Access Complexity	MEDIUM
CVSS 2 - Authentication	NONE
CVSS 2 - Confidentiality Impact	NONE
CVSS 2 - Availability Impact	PARTIAL
CVSS 2 - Base Score	4.3
Severity	MEDIUM
Exploitability Score	8.6
Impact Score	2.9
Obtain All Privilege	false
Obtain User Privilege	false
Obtain Other Privilege	false

Base Metric V3

CVSS 3 - Version	3.0
CVSS 3 - Vector String	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 3 - Attack Vector	NETWORK
CVSS 3 - Attack Complexity	HIGH
CVSS 3 - Privileges Required	NONE
CVSS 3 - User Interaction	NONE
CVSS 3 - Scope	UNCHANGED
CVSS 3 - Confidentiality Impact	NONE
CVSS 3 - Integrity Impact	NONE
CVSS 3 - Availability Impact	HIGH
CVSS 3 - Base Score	5.9
CVSS 3 - Base Severity	MEDIUM
Exploitability Score	2.2
Base Severity	MEDIUM

Configurations

OR - Configuration 1

Cpe Version	Part	Vendor	Product	Version	Update	Edition	Language	SW Edition	Target SW	Target HW	Other	Version Start Including	Version End Excluding
2.3	Application	Digium	Asterisk	*	*	*	*	*	*	*	*	13.0.0	13.18.4
2.3	Application	Digium	Asterisk	*	*	*	*	*	*	*	*	14.0.0	14.7.4
2.3	Application	Digium	Asterisk	*	*	*	*	*	*	*	*	15.0.0	15.1.4

OR - Configuration 2

Cpe Version	Part	Vendor	Product	Version	Update	Edition	Language	SW Edition	Target SW	Target HW	Other	Version End Including
2.3	Application	Digium	Certified Asterisk	*	*	*	*	*	*	*	*	13.13
2.3	Application	Digium	Certified Asterisk	13.13	cert1	*	*	*	*	*	*
2.3	Application	Digium	Certified Asterisk	13.13	cert1_rc1	*	*	*	*	*	*
2.3	Application	Digium	Certified Asterisk	13.13	cert1_rc2	*	*	*	*	*	*
2.3	Application	Digium	Certified Asterisk	13.13	cert1_rc3	*	*	*	*	*	*
2.3	Application	Digium	Certified Asterisk	13.13	cert1_rc4	*	*	*	*	*	*
2.3	Application	Digium	Certified Asterisk	13.13	cert2	*	*	*	*	*	*
2.3	Application	Digium	Certified Asterisk	13.13	cert3	*	*	*	*	*	*
2.3	Application	Digium	Certified Asterisk	13.13	cert4	*	*	*	*	*	*
2.3	Application	Digium	Certified Asterisk	13.13	cert5	*	*	*	*	*	*
2.3	Application	Digium	Certified Asterisk	13.13	cert6	*	*	*	*	*	*
2.3	Application	Digium	Certified Asterisk	13.13	cert7	*	*	*	*	*	*
2.3	Application	Digium	Certified Asterisk	13.13	cert8	*	*	*	*	*	*

Vulnerable Software List

Vendor	Product	Versions
Digium	Certified Asterisk	*, 13.13
Digium	Asterisk	*

References

Name	Source	URL	Tags
http://downloads.digium.com/pub/security/AST-2017-012.html	http://downloads.digium.com/pub/security/AST-2017-012.html	MISC	Vendor Advisory
102201	http://www.securityfocus.com/bid/102201	BID	Third Party Advisory VDB Entry
1040009	http://www.securitytracker.com/id/1040009	SECTRACK	Third Party Advisory VDB Entry
https://issues.asterisk.org/jira/browse/ASTERISK-27382	https://issues.asterisk.org/jira/browse/ASTERISK-27382	MISC	Issue Tracking Patch Vendor Advisory
https://issues.asterisk.org/jira/browse/ASTERISK-27429	https://issues.asterisk.org/jira/browse/ASTERISK-27429	MISC	Issue Tracking Vendor Advisory
DSA-4076	https://www.debian.org/security/2017/dsa-4076	DEBIAN	Third Party Advisory