HTTP: Digium Asterisk res_http_websocket HTTP Upgrade Request Denial of Service
A denial-of-service vulnerability has been reported in Digium Asterisk. The vulnerability is due to improper handling of HTTP Upgrade requests during initial WebSocket connection establishment within the res_http_websocket module of Asterisk. A remote attacker could exploit this vulnerability by sending crafted HTTP requests to the target server. Successful exploitation could result in a denial-of-service condition.
Extended Description
There is a stack consumption vulnerability in the res_http_websocket.so module of Asterisk through 13.23.0, 14.7.x through 14.7.7, and 15.x through 15.6.0 and Certified Asterisk through 13.21-cert2. It allows an attacker to crash Asterisk via a specially crafted HTTP request to upgrade the connection to a websocket.
Affected Products
Digium asterisk
Short Name
HTTP:DOS:ASTERISK-UPGRD
Severity
Major
Recommended
True
Recommended Action
Drop
Category
HTTP
Keywords
Asterisk CVE-2018-17281 Denial Digium HTTP Request Service Upgrade of res_http_websocket
Release Date
11/26/2018
Supported Platforms
srx-branch-12.3
srx-branch-19.3
vsrx3bsd-19.2
vsrx3bsd-19.4
srx-branch-19.4
vsrx-19.4
srx-19.4
vsrx-12.3
srx-12.3
vsrx-19.2
srx-19.3
Sigpack Version
3590
False Positive
Unknown
Vendors
Digium
Debian
CVSS Score
5.0