cbcvebase.
CVE-2018-7286
published 2018-02-22

CVE-2018-7286: An issue was discovered in Asterisk through 13.19.1, 14.x through 14.7.5, and 15.x through 15.2.1, and Certified Asterisk through 13.18-cert2. res_pjsip allows…

PriorityP352medium6.5CVSS 3.0
AVNACLPRLUINSUCNINAH
EXPLOIT
EPSS
39.50%
98.4th percentile
An issue was discovered in Asterisk through 13.19.1, 14.x through 14.7.5, and 15.x through 15.2.1, and Certified Asterisk through 13.18-cert2. res_pjsip allows remote authenticated users to crash Asterisk (segmentation fault) by sending a number of SIP INVITE messages on a TCP or TLS connection and then suddenly closing the connection.

Affected

7 ranges
VendorProductVersion rangeFixed in
debianasterisk< asterisk 1:13.20.0~dfsg-1 (bullseye)asterisk 1:13.20.0~dfsg-1 (bullseye)
debiandebian_linux
digiumasterisk
digiumasterisk>= 0 < 1:13.20.0~dfsg-11:13.20.0~dfsg-1
digiumasterisk14.0.0 – 14.7.5
digiumasterisk15.0.0 – 15.2.1
digiumcertified_asterisk<= 13.18

Detection & IOCsextracted from sources · hover to see the quote

port5061
commandINVITE sip:%s@%s:%i SIP/2.0
otherVia: SIP/2.0/TLS;branch=z9hG4bK
processres_pjsip
  • Detect repeated SIP INVITE messages over TCP (port 5060) or TLS (port 5061) from the same source followed by an abrupt TCP connection reset/close — this is the trigger pattern for the CVE-2018-7286 DoS.
  • Monitor for Asterisk segfault in res_pjsip.c at ast_sip_failover_request with tdata=0x0, indicating null pointer dereference triggered by the exploit.
  • Flag Asterisk instances compiled with --with-pjproject-bundled running chan_pjsip as highest-risk targets for this vulnerability.
  • Alert on multiple SIP INVITE requests sharing the same Call-ID over a single TCP/TLS session — the PoC sends 10 INVITEs per connection using the same callid value.
  • Inspect SIP INVITE traffic on TLS transport for the Via branch pattern z9hG4bK originating from non-standard high ports (e.g., 10394), which matches the PoC's crafted headers.
  • ·The vulnerability only affects Asterisk deployments using the res_pjsip / chan_pjsip stack over TCP or TLS transports; SIP over UDP is not affected.
  • ·Exploitation requires prior authentication — the attacker must be a valid SIP user. Unauthenticated users cannot trigger the crash.
  • ·The destination SIP address used in the INVITE must match a valid extension in the dialplan for the crash to be triggered.
  • ·Affected versions span Asterisk 13.x through 13.19.1, 14.x through 14.7.5, 15.x through 15.2.1, and Certified Asterisk through 13.18-cert2; confirmed tested on 15.2.0, 15.1.0, 15.0.0, 13.19.0, 13.11.2, 14.7.5.

CVSS provenance

nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:N/A:P
osv6.5MEDIUM
vendor_debian6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.