CVE-2018-19278: Buffer Overflow
First published: Wed Nov 14 2018(Updated: )
Buffer overflow in DNS SRV and NAPTR lookups in Digium Asterisk 15.x before 15.6.2 and 16.x before 16.0.1 allows remote attackers to crash Asterisk via a specially crafted DNS SRV or NAPTR response, because a buffer size is supposed to match an expanded length but actually matches a compressed length.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Digium Asterisk | =15.0.0 | |
| Digium Asterisk | =15.0.0-b1 | |
| Digium Asterisk | =15.0.0-rc1 | |
| Digium Asterisk | =15.1.0 | |
| Digium Asterisk | =15.1.0-rc1 | |
| Digium Asterisk | =15.1.0-rc2 | |
| Digium Asterisk | =15.1.2 | |
| Digium Asterisk | =15.1.3 | |
| Digium Asterisk | =15.1.4 | |
| Digium Asterisk | =15.1.5 | |
| Digium Asterisk | =15.2.0-rc1 | |
| Digium Asterisk | =15.2.0-rc2 | |
| Digium Asterisk | =15.2.1 | |
| Digium Asterisk | =15.2.2 | |
| Digium Asterisk | =15.3.0 | |
| Digium Asterisk | =15.3.0-rc1 | |
| Digium Asterisk | =15.3.0-rc2 | |
| Digium Asterisk | =15.4.0 | |
| Digium Asterisk | =15.4.0-rc1 | |
| Digium Asterisk | =15.4.0-rc2 | |
| Digium Asterisk | =15.4.1 | |
| Digium Asterisk | =15.5.0 | |
| Digium Asterisk | =15.5.0-rc1 | |
| Digium Asterisk | =15.6.0 | |
| Digium Asterisk | =15.6.0-rc1 | |
| Digium Asterisk | =15.6.1 | |
| Digium Asterisk | =16.0.0 | |
| Digium Asterisk | =16.0.0-rc2 | |
| Digium Asterisk | =16.0.0-rc3 | |
| Digium Asterisk | =16.0.1-rc1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2018-19278?
The severity of CVE-2018-19278 is high with a severity value of 7.5.
Which versions of Digium Asterisk are affected by CVE-2018-19278?
Digium Asterisk versions 15.x before 15.6.2 and 16.x before 16.0.1 are affected by CVE-2018-19278.
How can remote attackers exploit CVE-2018-19278?
Remote attackers can exploit CVE-2018-19278 by sending a specially crafted DNS SRV or NAPTR response.
What can the exploitation of CVE-2018-19278 lead to?
The exploitation of CVE-2018-19278 can crash the Asterisk server.
Where can I find more information about CVE-2018-19278?
More information about CVE-2018-19278 can be found at the following references: [Link 1](https://downloads.asterisk.org/pub/security/AST-2018-010.html), [Link 2](https://issues.asterisk.org/jira/browse/ASTERISK-28127).
- collector/nvd-index
- agent/weakness
- agent/references
- agent/type
- vendor/digium
- canonical/digium asterisk
- version/digium asterisk/15.0.0
- version/digium asterisk/15.0.0-b1
- version/digium asterisk/15.0.0-rc1
- version/digium asterisk/15.1.0
- version/digium asterisk/15.1.0-rc1
- version/digium asterisk/15.1.0-rc2
- version/digium asterisk/15.1.2
- version/digium asterisk/15.1.3
- version/digium asterisk/15.1.4
- version/digium asterisk/15.1.5
- version/digium asterisk/15.2.0-rc1
- version/digium asterisk/15.2.0-rc2
- version/digium asterisk/15.2.1
- version/digium asterisk/15.2.2
- version/digium asterisk/15.3.0
- version/digium asterisk/15.3.0-rc1
- version/digium asterisk/15.3.0-rc2
- version/digium asterisk/15.4.0
- version/digium asterisk/15.4.0-rc1
- version/digium asterisk/15.4.0-rc2
- version/digium asterisk/15.4.1
- version/digium asterisk/15.5.0
- version/digium asterisk/15.5.0-rc1
- version/digium asterisk/15.6.0
- version/digium asterisk/15.6.0-rc1
- version/digium asterisk/15.6.1
- version/digium asterisk/16.0.0
- version/digium asterisk/16.0.0-rc2
- version/digium asterisk/16.0.0-rc3
- version/digium asterisk/16.0.1-rc1