CVE-2017-17664Improper Restriction of Operations within the Bounds of a Memory Buffer in Asterisk

CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer9 documents5 sources
Severity
5.9MEDIUMNVD
EPSS
1.3%
top 20.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Digium AsteriskDebian AsteriskDigium Certified Asterisk
Timeline
PublishedDec 13
Latest updateMay 14

Description

A Remote Crash issue was discovered in Asterisk Open Source 13.x before 13.18.4, 14.x before 14.7.4, and 15.x before 15.1.4 and Certified Asterisk before 13.13-cert9. Certain compound RTCP packets cause a crash in the RTCP Stack.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages4 packages

NVDdigium/asterisk13.0.013.18.4+2
debiandebian/asterisk< asterisk 1:13.18.5~dfsg-1 (bullseye)
Debiandigium/asterisk< 1:13.18.5~dfsg-1

Patches

Patch: issues.asterisk.orgPatch: issues.asterisk.org

🔴Vulnerability Details

2
GHSA
GHSA-v98f-vhv3-8x27: A Remote Crash issue was discovered in Asterisk Open Source 132022-05-14
OSV
CVE-2017-17664: A Remote Crash issue was discovered in Asterisk Open Source 132017-12-13

📋Vendor Advisories

1
Debian
CVE-2017-17664: asterisk - A Remote Crash issue was discovered in Asterisk Open Source 13.x before 13.18.4,...2017

💬Community

5
Bugzilla
CVE-2017-17664 asterisk: Mishandled compound RTCP packets in res/res_rtp_asterisk.c can allow remote attackers to cause a crash or write arbitrary data [fedora-all]2017-12-14
Bugzilla
CVE-2017-17664 asterisk: Mishandled compound RTCP packets in res/res_rtp_asterisk.c can allow remote attackers to cause a crash or write arbitrary data2017-12-14
Bugzilla
CVE-2017-17664 asterisk: Remote DOS via compound RTCP packet [epel-6]2017-12-13
Bugzilla
CVE-2017-17664 asterisk: Remote DOS via compound RTCP packet2017-12-13
Bugzilla
CVE-2017-17664 asterisk: Remote DOS via compound RTCP packet [fedora-all]2017-12-13
CVE-2017-17664 — Digium Asterisk vulnerability | cvebase