lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1eocOA-0006Pj-8U@mail.digium.com>
Date: Wed, 21 Feb 2018 15:57:22 -0600
From: "Asterisk Security Team" <security@...erisk.org>
To: fulldisclosure@...lists.org
Subject: [FD] AST-2018-006: WebSocket frames with 0 sized payload causes DoS

               Asterisk Project Security Advisory - AST-2018-006

         Product        Asterisk                                              
         Summary        WebSocket frames with 0 sized payload causes DoS      
    Nature of Advisory  Denial of Service                                     
      Susceptibility    Remote Unauthenticated Sessions                       
         Severity       Moderate                                              
      Exploits Known    No                                                    
       Reported On      February 05, 2018                                     
       Reported By      Sean Bright                                           
        Posted On       February 21, 2018                                     
     Last Updated On    February 21, 2018                                     
     Advisory Contact   bford AT digium DOT com                               
         CVE Name       CVE-2018-7287                                         

    Description  When reading a websocket, the length was not being checked.  
                 If a payload of length 0 was read, it would result in a      
                 busy loop that waited for the underlying connection to       
                 close.                                                       

    Resolution  A patch to asterisk is available that checks for payloads of  
                size 0 before attempting to read them. By default, Asterisk   
                does not enable the HTTP server, which means it is not        
                vulnerable to this problem. If the HTTP server is enabled,    
                you can disable it if you do not need it. Otherwise, the      
                patch provided with this security vulnerability can be        
                applied. Either of these approaches will resolve the          
                problem.                                                      

                               Affected Versions       
                         Product                       Release  
                                                       Series   
                  Asterisk Open Source                  15.x    All versions  

                                  Corrected In         
                         Product                              Release         
                  Asterisk Open Source                        15.2.2          

                                    Patches                          
                                SVN URL                              Revision 
   http://downloads.asterisk.org/pub/security/AST-2018-006-15.diff   Asterisk 
                                                                     15       

    Links  https://issues.asterisk.org/jira/browse/ASTERISK-27658             
                                                                              
           http://downloads.asterisk.org/pub/security/AST-2018-006.html       

    Asterisk Project Security Advisories are posted at                        
    http://www.asterisk.org/security                                          
                                                                              
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    http://downloads.digium.com/pub/security/AST-2018-006.pdf and             
    http://downloads.digium.com/pub/security/AST-2018-006.html                

                                Revision History  
                        Date                       Editor    Revisions Made   
    February 15, 2018                             Ben Ford  Initial Revision  
    February 21, 2018                             Ben Ford  Added CVE Name    

               Asterisk Project Security Advisory - AST-2018-006
               Copyright �� 2018 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ