CVE-2017-9358

A memory exhaustion vulnerability exists in Asterisk Open Source 13.x before 13.15.1 and 14.x before 14.4.1 and Certified Asterisk 13.13 before 13.13-cert4, which can be triggered by sending specially crafted SCCP packets causing an infinite loop and leading to memory exhaustion (by message logging in that loop).
Infinite Loop
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 77%
VendorProductVersion
sangomaasterisk
13.0.0
sangomaasterisk
13.1.0
sangomaasterisk
13.1.0:rc1
sangomaasterisk
13.1.0:rc2
sangomaasterisk
13.2.0
sangomaasterisk
13.2.0:rc1
sangomaasterisk
13.3.0:rc1
sangomaasterisk
13.4.0
sangomaasterisk
13.4.0:rc1
sangomaasterisk
13.5.0
sangomaasterisk
13.5.0:rc1
sangomaasterisk
13.6.0:rc1
sangomaasterisk
13.7.0
sangomaasterisk
13.7.0:rc1
sangomaasterisk
13.8.0
sangomaasterisk
13.8.0:rc1
sangomaasterisk
13.8.1
sangomaasterisk
13.8.2
sangomaasterisk
13.9.0
sangomaasterisk
13.9.0:rc1
sangomaasterisk
13.10.0:rc1
sangomaasterisk
13.11.0:rc1
sangomaasterisk
13.12.0
sangomaasterisk
13.12.0:rc1
sangomaasterisk
13.12.1
sangomaasterisk
13.12.2
sangomaasterisk
13.13.0:rc1
sangomaasterisk
13.14.0:rc1
sangomaasterisk
13.15.0:rc1
asteriskcertified_asterisk
13.13.0
asteriskcertified_asterisk
13.13.0:cert1
asteriskcertified_asterisk
13.13.0:cert1-rc1
asteriskcertified_asterisk
13.13.0:cert1-rc2
asteriskcertified_asterisk
13.13.0:cert1-rc3
asteriskcertified_asterisk
13.13.0:cert1-rc4
asteriskcertified_asterisk
13.13.0:cert2
asteriskcertified_asterisk
13.13.0:cert3
asteriskcertified_asterisk
13.13.0:rc1
asteriskcertified_asterisk
13.13.0:rc2
sangomaasterisk
14.0.0
sangomaasterisk
14.0.0:beta1
sangomaasterisk
14.0.0:beta2
sangomaasterisk
14.0.0:rc1
sangomaasterisk
14.1.0:rc1
sangomaasterisk
14.2.0
sangomaasterisk
14.2.0:rc1
sangomaasterisk
14.2.0:rc2
sangomaasterisk
14.2.1
sangomaasterisk
14.3.0:rc1
sangomaasterisk
14.4.0:rc1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
asterisk
bullseye
1:16.28.0~dfsg-0+deb11u4
fixed
jessie
not-affected
wheezy
not-affected
bullseye (security)
1:16.28.0~dfsg-0+deb11u5
fixed
sid
1:22.0.0~dfsg+~cs6.14.60671435-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
asterisk
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
not-affected
focal
not-affected
eoan
not-affected
disco
not-affected
cosmic
not-affected
bionic
not-affected
artful
ignored
zesty
ignored
yakkety
ignored
xenial
needed
trusty
dne
Common Weakness Enumeration
References
http://downloads.asterisk.org/pub/security/AST-2017-004.txt
http://www.securityfocus.com/bid/98573
http://www.securitytracker.com/id/1038531
https://bugs.debian.org/863906
http://downloads.asterisk.org/pub/security/AST-2017-004.txt
http://www.securityfocus.com/bid/98573
http://www.securitytracker.com/id/1038531
https://bugs.debian.org/863906