Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2017-17090 — Incomplete Cleanup in Asterisk

CWE-459 — Incomplete Cleanup8 documents6 sources

Severity

7.5HIGHNVD

EPSS

80.6%

top 0.86%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Digium Asterisk Debian Asterisk Digium Certified Asterisk

Timeline

PublishedDec 2

Latest updateMay 13

Description

An issue was discovered in chan_skinny.c in Asterisk Open Source 13.18.2 and older, 14.7.2 and older, and 15.1.2 and older, and Certified Asterisk 13.13-cert7 and older. If the chan_skinny (aka SCCP protocol) channel driver is flooded with certain requests, it can cause the asterisk process to use excessive amounts of virtual memory, eventually causing asterisk to stop processing requests of any kind.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDdigium/certified_asterisk13.13+1

▶debiandebian/asterisk< asterisk 1:13.18.3~dfsg-1 (bullseye)

▶Debiandigium/asterisk< 1:13.18.3~dfsg-1

▶NVDdigium/asterisk13.8.2+2

🔴Vulnerability Details

GHSA

GHSA-m542-x3mj-mpgq: An issue was discovered in chan_skinny↗2022-05-13

▶

OSV

CVE-2017-17090: An issue was discovered in chan_skinny↗2017-12-02

▶

💥Exploits & PoCs

Exploit-DB

Asterisk 13.17.2 - 'chan_skinny' Remote Memory Corruption↗2018-02-07

▶

📋Vendor Advisories

Debian

CVE-2017-17090: asterisk - An issue was discovered in chan_skinny.c in Asterisk Open Source 13.18.2 and old...↗2017

▶

💬Community

Bugzilla

CVE-2017-17090 asterisk: DOS Vulnerability in Asterisk chan_skinny [epel-6]↗2017-12-04

▶

Bugzilla

CVE-2017-17090 asterisk: DOS Vulnerability in Asterisk chan_skinny↗2017-12-04

▶

Bugzilla

CVE-2017-17090 asterisk: DOS Vulnerability in Asterisk chan_skinny [fedora-all]↗2017-12-04

▶