CVE-2022-37325
published 2022-12-05CVE-2022-37325: In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x through 19.6.0, an incoming Setup message to addons/ooh323c/src/ooq931.c with a…
PriorityP336high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.98%
57.9th percentile
In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x through 19.6.0, an incoming Setup message to addons/ooh323c/src/ooq931.c with a malformed Calling or Called Party IE can cause a crash.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | asterisk | < asterisk 1:16.28.0~dfsg-0+deb11u2 (bullseye) | asterisk 1:16.28.0~dfsg-0+deb11u2 (bullseye) |
| sangoma | asterisk | — | — |
| sangoma | asterisk | >= 0 < 1:16.28.0~dfsg-0+deb11u2 | 1:16.28.0~dfsg-0+deb11u2 |
| sangoma | asterisk | >= 16.0.0 < 16.29.1 | 16.29.1 |
| sangoma | asterisk | >= 18.0.0 < 18.15.1 | 18.15.1 |
| sangoma | asterisk | >= 19.0.0 < 19.7.1 | 19.7.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2022-37325: asterisk - In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x thr...
vendor_debian·2022·CVSS 7.5
CVE-2022-37325 [HIGH] CVE-2022-37325: asterisk - In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x thr...
In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x through 19.6.0, an incoming Setup message to addons/ooh323c/src/ooq931.c with a malformed Calling or Called Party IE can cause a crash.
Scope: local
bullseye: resolved (fixed in 1:16.28.0~dfsg-0+deb11u2)
sid: resolved (fixed in 1:20.0.1~dfsg+~cs6.12.40431414-1)
GHSA
GHSA-m52q-h2w3-62w3: In Sangoma Asterisk through 16
ghsa_unreviewed·2022-12-05
CVE-2022-37325 [HIGH] CWE-787 GHSA-m52q-h2w3-62w3: In Sangoma Asterisk through 16
In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x through 19.6.0, an incoming Setup message to addons/ooh323c/src/ooq931.c with a malformed Calling or Called Party IE can cause a crash.
OSV
CVE-2022-37325: In Sangoma Asterisk through 16
osv·2022-12-05·CVSS 7.5
CVE-2022-37325 [HIGH] CVE-2022-37325: In Sangoma Asterisk through 16
In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x through 19.6.0, an incoming Setup message to addons/ooh323c/src/ooq931.c with a malformed Calling or Called Party IE can cause a crash.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2022-37325 asterisk: Remote Crash Vulnerability in H323 channel add on [epel-8]
bugzilla·2022-12-05·CVSS 7.5
CVE-2022-37325 [HIGH] CVE-2022-37325 asterisk: Remote Crash Vulnerability in H323 channel add on [epel-8]
CVE-2022-37325 asterisk: Remote Crash Vulnerability in H323 channel add on [epel-8]
More information about this security flaw is available in the following bug:
http://bugzilla.redhat.com/show_bug.cgi?id=2150949
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Use the following template to for the 'fedpkg update' request to submit an
update for this issue as it contains the top-level parent bug(s) as well as
this tracking bug. This will ensure that all associated bugs get updated
when new packages are pushed to stable.
# bugfix, security, enhancement, newpackage (required)
type=security
# low, medi
Bugzilla
CVE-2022-37325 asterisk: Remote Crash Vulnerability in H323 channel add on [fedora-all]
bugzilla·2022-12-05·CVSS 7.5
CVE-2022-37325 [HIGH] CVE-2022-37325 asterisk: Remote Crash Vulnerability in H323 channel add on [fedora-all]
CVE-2022-37325 asterisk: Remote Crash Vulnerability in H323 channel add on [fedora-all]
More information about this security flaw is available in the following bug:
http://bugzilla.redhat.com/show_bug.cgi?id=2150949
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Use the following template to for the 'fedpkg update' request to submit an
update for this issue as it contains the top-level parent bug(s) as well as
this tracking bug. This will ensure that all associated bugs get updated
when new packages are pushed to stable.
# bugfix, security, enhancement, newpackage (required)
type=security
# low,
https://downloads.asterisk.org/pub/security/AST-2022-007.htmlhttps://lists.debian.org/debian-lts-announce/2023/02/msg00029.htmlhttps://www.debian.org/security/2023/dsa-5358https://downloads.asterisk.org/pub/security/AST-2022-007.htmlhttps://lists.debian.org/debian-lts-announce/2023/02/msg00029.htmlhttps://www.debian.org/security/2023/dsa-5358
2022-12-05
Published