There is a stack consumption vulnerability in the res_http_websocket.so module of Asterisk through 13.23.0, 14.7.x through 14.7.7, and 15.x through 15.6.0 and Certified Asterisk through 13.21-cert2. It allows an attacker to crash Asterisk via a specially crafted HTTP request to upgrade the connection to a websocket.

The remote host is affected by the vulnerability described in GLSA-201811-11 (Asterisk: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Asterisk. Please review       the referenced CVE identifiers for details.
  Impact :

    A remote attacker could cause a Denial of Service condition or conduct       information gathering.
  Workaround :

    There is no known workaround at this time.

Multiple vulnerabilities have been discovered in Asterisk, an open source PBX and telephony toolkit, which may result in denial of service or information disclosure.

Sean Bright discovered that Asterisk, a PBX and telephony toolkit, contained a stack overflow vulnerability in the res_http_websocket.so module that allowed remote attackers to crash Asterisk via specially crafted HTTP requests to upgrade the connection to a websocket.

For Debian 8 'Jessie', this problem has been fixed in version 1:11.13.1~dfsg-2+deb8u6.

We recommend that you upgrade your asterisk packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its SIP banner, the version of Asterisk running on the remote host is 13.x prior to 13.23.1, 14.x prior to 14.7.8, 15.x prior to 15.6.1, or 13.21 prior to 13.21-cert3. It is therefore, affected by an error related to the res_http_websocket.so module that allows a stack overflow error as described in AST-2018-009. This error can allow denial of service attacks.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Asterisk project reports :

There is a stack overflow vulnerability in the res_http_websocket.so module of Asterisk that allows an attacker to crash Asterisk via a specially crafted HTTP request to upgrade the connection to a websocket. The attackers request causes Asterisk to run out of stack space and crash.

As a workaround disable HTTP websocket access by not loading the res_http_websocket.so module.

ID	Name	Product	Family	Severity
119131	GLSA-201811-11 : Asterisk: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
118158	Debian DSA-4320-1 : asterisk - security update	Nessus	Debian Local Security Checks	medium
117810	Debian DLA-1523-1 : asterisk security update	Nessus	Debian Local Security Checks	high
117808	Asterisk 13.x < 13.23.1 / 14.x < 14.7.8 / 15.x < 15.6.1 / 13.21 < 13.21-cert3 HTTP Websocket Stack Overflow (AST-2018-009)	Nessus	Misc.	high
117651	FreeBSD : asterisk -- Remote crash vulnerability in HTTP websocket upgrade (77f67b46-bd75-11e8-81b6-001999f8d30b)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2018-17281

high

Tenable Plugins

high

medium

high

high

high