CVE-2018-7284
published 2018-02-22CVE-2018-7284: A Buffer Overflow issue was discovered in Asterisk through 13.19.1, 14.x through 14.7.5, and 15.x through 15.2.1, and Certified Asterisk through 13.18-cert2…
PriorityP266high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
58.95%
99.0th percentile
A Buffer Overflow issue was discovered in Asterisk through 13.19.1, 14.x through 14.7.5, and 15.x through 15.2.1, and Certified Asterisk through 13.18-cert2. When processing a SUBSCRIBE request, the res_pjsip_pubsub module stores the accepted formats present in the Accept headers of the request. This code did not limit the number of headers it processed, despite having a fixed limit of 32. If more than 32 Accept headers were present, the code would write outside of its memory and cause a crash.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | asterisk | < asterisk 1:13.20.0~dfsg-1 (bullseye) | asterisk 1:13.20.0~dfsg-1 (bullseye) |
| debian | debian_linux | — | — |
| digium | asterisk | <= 13.19.1 | — |
| digium | asterisk | >= 0 < 1:13.20.0~dfsg-1 | 1:13.20.0~dfsg-1 |
| digium | asterisk | 14.0.0 – 14.7.5 | — |
| digium | asterisk | 15.0.0 – 15.2.1 | — |
| digium | certified_asterisk | <= 13.18 | — |
| digium | certified_asterisk | — | — |
| digium | certified_asterisk | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
Accept: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (repeated 50+ times in SIP SUBSCRIBE)
- →Detect SIP SUBSCRIBE requests containing more than 32 Accept headers, which triggers the buffer overflow in res_pjsip_pubsub. ↗
- →Monitor for SIP SUBSCRIBE messages with oversized or repeated Accept header values (e.g., long strings of repeated characters like 'A' * 100) sent over TCP or TLS to port 5060. ↗
- →Look for Asterisk process crashes (SIGABRT / stack smashing detected) in res_pjsip_pubsub.c, specifically in subscription_get_generator_from_rdata or pubsub_on_rx_subscribe_request, as indicators of exploitation attempts. ↗
- →The vulnerability is specific to Asterisk deployments using chan_pjsip (res_pjsip_pubsub module). Confirm chan_pjsip is active before triaging alerts. ↗
- ·Exploitation via UDP may be unreliable due to packet size limitations; TCP and TLS are the confirmed effective transports for delivering the oversized SUBSCRIBE payload. ↗
- ·Authentication may be required before the vulnerable code path is reached, meaning unauthenticated exploitation may not always be possible depending on Asterisk configuration. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h9x3-h6rr-35ww: A Buffer Overflow issue was discovered in Asterisk through 13
ghsa_unreviewed·2022-05-14
CVE-2018-7284 [HIGH] CWE-119 GHSA-h9x3-h6rr-35ww: A Buffer Overflow issue was discovered in Asterisk through 13
A Buffer Overflow issue was discovered in Asterisk through 13.19.1, 14.x through 14.7.5, and 15.x through 15.2.1, and Certified Asterisk through 13.18-cert2. When processing a SUBSCRIBE request, the res_pjsip_pubsub module stores the accepted formats present in the Accept headers of the request. This code did not limit the number of headers it processed, despite having a fixed limit of 32. If more than 32 Accept headers were present, the code would write outside of its memory and cause a crash.
OSV
CVE-2018-7284: A Buffer Overflow issue was discovered in Asterisk through 13
osv·2018-02-22·CVSS 7.5
CVE-2018-7284 [HIGH] CVE-2018-7284: A Buffer Overflow issue was discovered in Asterisk through 13
A Buffer Overflow issue was discovered in Asterisk through 13.19.1, 14.x through 14.7.5, and 15.x through 15.2.1, and Certified Asterisk through 13.18-cert2. When processing a SUBSCRIBE request, the res_pjsip_pubsub module stores the accepted formats present in the Accept headers of the request. This code did not limit the number of headers it processed, despite having a fixed limit of 32. If more than 32 Accept headers were present, the code would write outside of its memory and cause a crash.
Debian
CVE-2018-7284: asterisk - A Buffer Overflow issue was discovered in Asterisk through 13.19.1, 14.x through...
vendor_debian·2018·CVSS 7.5
CVE-2018-7284 [HIGH] CVE-2018-7284: asterisk - A Buffer Overflow issue was discovered in Asterisk through 13.19.1, 14.x through...
A Buffer Overflow issue was discovered in Asterisk through 13.19.1, 14.x through 14.7.5, and 15.x through 15.2.1, and Certified Asterisk through 13.18-cert2. When processing a SUBSCRIBE request, the res_pjsip_pubsub module stores the accepted formats present in the Accept headers of the request. This code did not limit the number of headers it processed, despite having a fixed limit of 32. If more than 32 Accept headers were present, the code would write outside of its memory and cause a crash.
Scope: local
bullseye: resolved (fixed in 1:13.20.0~dfsg-1)
sid: resolved (fixed in 1:13.20.0~dfsg-1)
No detection rules found.
Bugzilla
CVE-2018-7284 asterisk: memory corruption in SUBSCRIBE message with a large Accept value [epel-6]
bugzilla·2018-02-22·CVSS 7.5
CVE-2018-7284 [HIGH] CVE-2018-7284 asterisk: memory corruption in SUBSCRIBE message with a large Accept value [epel-6]
CVE-2018-7284 asterisk: memory corruption in SUBSCRIBE message with a large Accept value [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following templ
Bugzilla
CVE-2018-7284 asterisk: memory corruption in SUBSCRIBE message with a large Accept value
bugzilla·2018-02-22·CVSS 7.5
CVE-2018-7284 [HIGH] CVE-2018-7284 asterisk: memory corruption in SUBSCRIBE message with a large Accept value
CVE-2018-7284 asterisk: memory corruption in SUBSCRIBE message with a large Accept value
A flaw was discovered in Asterisk 13.x, 14.x, 15.x and 13.18. When processing a SUBSCRIBE request the res_pjsip_pubsub module stores the accepted formats present in the Accept headers of the request. This code did not limit the number of headers it processed despite having a fixed limit of 32. If more than 32 Accept headers were present the code would write outside of its memory and cause a crash.
Resources:
http://downloads.asterisk.org/pub/security/AST-2018-004.html
https://issues.asterisk.org/jira/browse/ASTERISK-27640
Patch:
http://downloads.asterisk.org/pub/security/AST-2018-004-13.diff [Asterisk 13]
http://downloads.asterisk.org/pub/security/AST-2018-004-14.diff [Asterisk 14]
http://downloads
Bugzilla
CVE-2018-7284 asterisk: memory corruption in SUBSCRIBE message with a large Accept value [fedora-all]
bugzilla·2018-02-22·CVSS 7.5
CVE-2018-7284 [HIGH] CVE-2018-7284 asterisk: memory corruption in SUBSCRIBE message with a large Accept value [fedora-all]
CVE-2018-7284 asterisk: memory corruption in SUBSCRIBE message with a large Accept value [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects mul
http://downloads.asterisk.org/pub/security/AST-2018-004.htmlhttp://www.securityfocus.com/bid/103151http://www.securitytracker.com/id/1040416https://www.debian.org/security/2018/dsa-4320https://www.exploit-db.com/exploits/44184/http://downloads.asterisk.org/pub/security/AST-2018-004.htmlhttp://www.securityfocus.com/bid/103151http://www.securitytracker.com/id/1040416https://www.debian.org/security/2018/dsa-4320https://www.exploit-db.com/exploits/44184/
2018-02-22
Published