What is the severity of CVE-2017-9372?

CVE-2017-9372 is rated as a critical severity vulnerability that allows for a denial of service due to a buffer overflow.

How do I fix CVE-2017-9372?

To fix CVE-2017-9372, update affected versions of PJSIP and Asterisk to versions 13.15.1, 14.4.1 or newer.

Which versions are affected by CVE-2017-9372?

CVE-2017-9372 affects Asterisk Open Source versions 13.x before 13.15.1 and 14.x before 14.4.1.

What type of attack does CVE-2017-9372 facilitate?

CVE-2017-9372 allows remote attackers to cause a denial of service by exploiting a crafted SIP packet.

Is CVE-2017-9372 exploitable from remote locations?

Yes, CVE-2017-9372 can be exploited by remote attackers without requiring physical access to the system.

Vulnerability/
CVE-2017-9372

high

7.5

CWE

119

2/6/2017

5/11/2017

CVE-2017-9372: Buffer Overflow

First published: Fri Jun 02 2017(Updated: )

PJSIP, as used in Asterisk Open Source 13.x before 13.15.1 and 14.x before 14.4.1, Certified Asterisk 13.13 before 13.13-cert4, and other products, allows remote attackers to cause a denial of service (buffer overflow and application crash) via a SIP packet with a crafted CSeq header in conjunction with a Via header that lacks a branch parameter.

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
digium Open Source	=13.0.0
digium Open Source	=13.1.0
digium Open Source	=13.1.0-rc1
digium Open Source	=13.1.0-rc2
digium Open Source	=13.2.0
digium Open Source	=13.2.0-rc1
digium Open Source	=13.3.0-rc1
digium Open Source	=13.4.0
digium Open Source	=13.4.0-rc1
digium Open Source	=13.5.0
digium Open Source	=13.5.0-rc1
digium Open Source	=13.6.0-rc1
digium Open Source	=13.7.0
digium Open Source	=13.7.0-rc1
digium Open Source	=13.8.0
digium Open Source	=13.8.0-rc1
digium Open Source	=13.8.1
digium Open Source	=13.8.2
digium Open Source	=13.9.0
digium Open Source	=13.9.0-rc1
digium Open Source	=13.10.0-rc1
digium Open Source	=13.11.0-rc1
digium Open Source	=13.12.0
digium Open Source	=13.12.0-rc1
digium Open Source	=13.12.1
digium Open Source	=13.12.2
digium Open Source	=13.13.0-rc1
digium Open Source	=13.14.0-rc1
digium Open Source	=13.15.0-rc1
digium Open Source	=14.0.0
digium Open Source	=14.0.0-beta1
digium Open Source	=14.0.0-beta2
digium Open Source	=14.0.0-rc1
digium Open Source	=14.1.0-rc1
digium Open Source	=14.2.0
digium Open Source	=14.2.0-rc1
digium Open Source	=14.2.0-rc2
digium Open Source	=14.2.1
digium Open Source	=14.3.0-rc1
digium Open Source	=14.4.0-rc1
Asterisk	=13.13.0
Asterisk	=13.13.0-cert1
Asterisk	=13.13.0-cert1-rc1
Asterisk	=13.13.0-cert1-rc2
Asterisk	=13.13.0-cert1-rc3
Asterisk	=13.13.0-cert1-rc4
Asterisk	=13.13.0-cert2
Asterisk	=13.13.0-cert3
Asterisk	=13.13.0-rc1
Asterisk	=13.13.0-rc2

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2017-9372?
CVE-2017-9372 is rated as a critical severity vulnerability that allows for a denial of service due to a buffer overflow.
How do I fix CVE-2017-9372?
To fix CVE-2017-9372, update affected versions of PJSIP and Asterisk to versions 13.15.1, 14.4.1 or newer.
Which versions are affected by CVE-2017-9372?
CVE-2017-9372 affects Asterisk Open Source versions 13.x before 13.15.1 and 14.x before 14.4.1.
What type of attack does CVE-2017-9372 facilitate?
CVE-2017-9372 allows remote attackers to cause a denial of service by exploiting a crafted SIP packet.
Is CVE-2017-9372 exploitable from remote locations?
Yes, CVE-2017-9372 can be exploited by remote attackers without requiring physical access to the system.

agent/type
agent/last-modified-date
agent/first-publish-date
agent/severity
agent/references
agent/description
agent/weakness
agent/author
agent/tags
agent/event
agent/softwarecombine
collector/nvd-index
agent/software-canonical-lookup-request
vendor/digium
canonical/digium open source
version/digium open source/13.0.0
version/digium open source/13.1.0
version/digium open source/13.1.0-rc1
version/digium open source/13.1.0-rc2
version/digium open source/13.2.0
version/digium open source/13.2.0-rc1
version/digium open source/13.3.0-rc1
version/digium open source/13.4.0
version/digium open source/13.4.0-rc1
version/digium open source/13.5.0
version/digium open source/13.5.0-rc1
version/digium open source/13.6.0-rc1
version/digium open source/13.7.0
version/digium open source/13.7.0-rc1
version/digium open source/13.8.0
version/digium open source/13.8.0-rc1
version/digium open source/13.8.1
version/digium open source/13.8.2
version/digium open source/13.9.0
version/digium open source/13.9.0-rc1
version/digium open source/13.10.0-rc1
version/digium open source/13.11.0-rc1
version/digium open source/13.12.0
version/digium open source/13.12.0-rc1
version/digium open source/13.12.1
version/digium open source/13.12.2
version/digium open source/13.13.0-rc1
version/digium open source/13.14.0-rc1
version/digium open source/13.15.0-rc1
version/digium open source/14.0.0
version/digium open source/14.0.0-beta1
version/digium open source/14.0.0-beta2
version/digium open source/14.0.0-rc1
version/digium open source/14.1.0-rc1
version/digium open source/14.2.0
version/digium open source/14.2.0-rc1
version/digium open source/14.2.0-rc2
version/digium open source/14.2.1
version/digium open source/14.3.0-rc1
version/digium open source/14.4.0-rc1
canonical/asterisk
version/asterisk/13.13.0
version/asterisk/13.13.0-cert1
version/asterisk/13.13.0-cert1-rc1
version/asterisk/13.13.0-cert1-rc2
version/asterisk/13.13.0-cert1-rc3
version/asterisk/13.13.0-cert1-rc4
version/asterisk/13.13.0-cert2
version/asterisk/13.13.0-cert3
version/asterisk/13.13.0-rc1
version/asterisk/13.13.0-rc2