CVE-2017-17850
HIGHAsterisk < 13.18.4, < 14.7.4, < 15.1.4, and < 13.18-cert1 - Denial of Service via Missing Contact Header in SIP Messages
Title source: llmDescription
An issue was discovered in Asterisk 13.18.4 and older, 14.7.4 and older, 15.1.4 and older, and 13.18-cert1 and older. A select set of SIP messages create a dialog in Asterisk. Those SIP messages must contain a contact header. For those messages, if the header was not present and the PJSIP channel driver was used, Asterisk would crash. The severity of this vulnerability is somewhat mitigated if authentication is enabled. If authentication is enabled, a user would have to first be authorized before reaching the crash point.
References (4)
Core 4
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
https://issues.asterisk.org/jira/browse/ASTERISK-27480
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1040056
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201811-11
Vendor Advisory x_refsource_confirm
http://downloads.asterisk.org/pub/security/AST-2017-014.html
Scores
CVSS v3
7.5
EPSS
0.7535
EPSS Percentile
99.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-20
Status
published
Products (3)
digium/asterisk
13.0.0 - 13.18.4
digium/certified_asterisk
13.1.0 (3 CPE variants)
digium/certified_asterisk
13.8 cert1
Published
Dec 27, 2017
Tracked Since
Feb 18, 2026