CVE-2018-12228 — Infinite Loop in Asterisk

CWE-835 — Infinite Loop6 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.4%

top 37.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sangoma Asterisk Debian Asterisk

Timeline

PublishedJun 12

Latest updateMay 13

Description

An issue was discovered in Asterisk Open Source 15.x before 15.4.1. When connected to Asterisk via TCP/TLS, if the client abruptly disconnects, or sends a specially crafted message, then Asterisk gets caught in an infinite loop while trying to read the data stream. This renders the system unusable.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDsangoma/asterisk15.0 — 15.4.1

▶debiandebian/asterisk

🔴Vulnerability Details

GHSA

GHSA-wcxf-gxv3-7xch: An issue was discovered in Asterisk Open Source 15↗2022-05-13

▶

📋Vendor Advisories

Debian

CVE-2018-12228: asterisk - An issue was discovered in Asterisk Open Source 15.x before 15.4.1. When connect...↗2018

▶

💬Community

Bugzilla

CVE-2018-12228 asterisk: Infinite loop when reading iostreams↗2018-06-12

▶

Bugzilla

CVE-2018-12227 CVE-2018-12228 asterisk: various flaws [epel-6]↗2018-06-12

▶

Bugzilla

CVE-2018-12227 CVE-2018-12228 asterisk: various flaws [fedora-all]↗2018-06-12

▶