Asterisk 'res_http_websocket' Double-Free DoS (AST-2014-019)
Medium Nessus Plugin ID 80036
SynopsisA telephony application running on the remote host is affected by a denial of service vulnerability.
DescriptionAccording to the version in its SIP banner, the version of Asterisk running on the remote host is potentially affected by a double-free error related to the 'res_http_websocket' module and handling of zero-length payloads that could allow denial of service attacks.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
SolutionUpgrade to Asterisk 11.14.2 / 12.7.2 / 13.0.2 / 11.6-cert9 or apply the appropriate patch listed in the Asterisk advisory.
Alternatively, as a workaround, disable the built-in HTTP server.