CVE-2017-17090 — HIGH (7.5)

Q: How severe is CVE-2017-17090?

CVE-2017-17090 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2017-17090?

Check the references section above for vendor advisories and patch information. Affected products include: Digium Certified Asterisk, Digium Asterisk.

Vulnerability Description

An issue was discovered in chan_skinny.c in Asterisk Open Source 13.18.2 and older, 14.7.2 and older, and 15.1.2 and older, and Certified Asterisk 13.13-cert7 and older. If the chan_skinny (aka SCCP protocol) channel driver is flooded with certain requests, it can cause the asterisk process to use excessive amounts of virtual memory, eventually causing asterisk to stop processing requests of any kind.

CVSS Score

7.5

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Digium	Certified Asterisk	<= 13.13
Digium	Asterisk	<= 13.8.2

Related Weaknesses (CWE)

CWE-459

References

http://downloads.digium.com/pub/security/AST-2017-013.htmlVendor Advisory
http://www.securityfocus.com/bid/102023Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1039948
https://issues.asterisk.org/jira/browse/ASTERISK-27452Issue TrackingVendor Advisory
https://lists.debian.org/debian-lts-announce/2017/12/msg00028.html
https://www.debian.org/security/2017/dsa-4076
https://www.exploit-db.com/exploits/43992/
http://downloads.digium.com/pub/security/AST-2017-013.htmlVendor Advisory
http://www.securityfocus.com/bid/102023Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1039948
https://issues.asterisk.org/jira/browse/ASTERISK-27452Issue TrackingVendor Advisory
https://lists.debian.org/debian-lts-announce/2017/12/msg00028.html
https://www.debian.org/security/2017/dsa-4076
https://www.exploit-db.com/exploits/43992/

FAQ

What is CVE-2017-17090?

CVE-2017-17090 is a vulnerability with a CVSS score of 7.5 (HIGH). An issue was discovered in chan_skinny.c in Asterisk Open Source 13.18.2 and older, 14.7.2 and older, and 15.1.2 and older, and Certified Asterisk 13.13-cert7 and older. If the chan_skinny (aka SCCP p...

How severe is CVE-2017-17090?

CVE-2017-17090 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-17090?

Check the references section above for vendor advisories and patch information. Affected products include: Digium Certified Asterisk, Digium Asterisk.