cbcvebase.
CVE-2018-7284
published 2018-02-22

CVE-2018-7284: A Buffer Overflow issue was discovered in Asterisk through 13.19.1, 14.x through 14.7.5, and 15.x through 15.2.1, and Certified Asterisk through 13.18-cert2…

PriorityP266high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
58.95%
99.0th percentile
A Buffer Overflow issue was discovered in Asterisk through 13.19.1, 14.x through 14.7.5, and 15.x through 15.2.1, and Certified Asterisk through 13.18-cert2. When processing a SUBSCRIBE request, the res_pjsip_pubsub module stores the accepted formats present in the Accept headers of the request. This code did not limit the number of headers it processed, despite having a fixed limit of 32. If more than 32 Accept headers were present, the code would write outside of its memory and cause a crash.

Affected

9 ranges
VendorProductVersion rangeFixed in
debianasterisk< asterisk 1:13.20.0~dfsg-1 (bullseye)asterisk 1:13.20.0~dfsg-1 (bullseye)
debiandebian_linux
digiumasterisk<= 13.19.1
digiumasterisk>= 0 < 1:13.20.0~dfsg-11:13.20.0~dfsg-1
digiumasterisk14.0.0 – 14.7.5
digiumasterisk15.0.0 – 15.2.1
digiumcertified_asterisk<= 13.18
digiumcertified_asterisk
digiumcertified_asterisk

Detection & IOCsextracted from sources · hover to see the quote

commandSUBSCRIBE sip:[email protected]:5060 SIP/2.0 with >32 Accept headers
port5060
bytes
Accept: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (repeated 50+ times in SIP SUBSCRIBE)
  • Detect SIP SUBSCRIBE requests containing more than 32 Accept headers, which triggers the buffer overflow in res_pjsip_pubsub.
  • Monitor for SIP SUBSCRIBE messages with oversized or repeated Accept header values (e.g., long strings of repeated characters like 'A' * 100) sent over TCP or TLS to port 5060.
  • Look for Asterisk process crashes (SIGABRT / stack smashing detected) in res_pjsip_pubsub.c, specifically in subscription_get_generator_from_rdata or pubsub_on_rx_subscribe_request, as indicators of exploitation attempts.
  • The vulnerability is specific to Asterisk deployments using chan_pjsip (res_pjsip_pubsub module). Confirm chan_pjsip is active before triaging alerts.
  • ·Exploitation via UDP may be unreliable due to packet size limitations; TCP and TLS are the confirmed effective transports for delivering the oversized SUBSCRIBE payload.
  • ·Authentication may be required before the vulnerable code path is reached, meaning unauthenticated exploitation may not always be possible depending on Asterisk configuration.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.