CVE-2018-7286
First published: Thu Feb 22 2018(Updated: )
An issue was discovered in Asterisk through 13.19.1, 14.x through 14.7.5, and 15.x through 15.2.1, and Certified Asterisk through 13.18-cert2. res_pjsip allows remote authenticated users to crash Asterisk (segmentation fault) by sending a number of SIP INVITE messages on a TCP or TLS connection and then suddenly closing the connection.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/asterisk | 1:16.2.1~dfsg-1+deb10u2 1:16.28.0~dfsg-0+deb10u3 1:16.28.0~dfsg-0+deb11u3 1:20.4.0~dfsg+~cs6.13.40431414-2 | |
| debian/asterisk | <=1:13.14.1~dfsg-1<=1:13.18.5~dfsg-1 | 1:13.20.0~dfsg-1 1:13.14.1~dfsg-2+deb9u4 |
| Digium Asterisk | >=14.0.0<=14.7.5 | |
| Digium Asterisk | >=15.0.0<=15.2.1 | |
| Digium Asterisk | =13.19.1 | |
| Digium Certified Asterisk | <=13.18 | |
| Debian Debian Linux | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://downloads.asterisk.org/pub/security/AST-2018-005.html
- https://issues.asterisk.org/jira/browse/ASTERISK-27618
- http://downloads.asterisk.org/pub/security/AST-2018-005-13.diff
- https://security-tracker.debian.org/tracker/CVE-2018-7286
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7286
- https://security-tracker.debian.org/tracker/CVE-2018-7284
- https://security-tracker.debian.org/tracker/CVE-2018-12227
- https://security-tracker.debian.org/tracker/CVE-2018-17281
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891228
- http://www.securityfocus.com/bid/103129
- http://www.securitytracker.com/id/1040417
- https://www.debian.org/security/2018/dsa-4320
- https://www.exploit-db.com/exploits/44181/
Frequently Asked Questions
What is the severity of CVE-2018-7286?
The severity of CVE-2018-7286 is medium with a CVSS score of 6.5.
How does CVE-2018-7286 affect Asterisk?
CVE-2018-7286 allows remote authenticated users to crash Asterisk (segmentation fault) by sending a number of SIP INVITE messages on a TCP or TLS connection.
What versions of Asterisk are affected by CVE-2018-7286?
Asterisk versions through 13.19.1, 14.x through 14.7.5, and 15.x through 15.2.1, as well as Certified Asterisk through 13.18 are affected by CVE-2018-7286.
How can I fix CVE-2018-7286?
To fix CVE-2018-7286, update to Asterisk versions 13.20.0 or later for Debian, or 16.2.1 or later for Debian 10 and Debian 11.
Where can I find more information about CVE-2018-7286?
You can find more information about CVE-2018-7286 at the following references: [AST-2018-005](http://downloads.asterisk.org/pub/security/AST-2018-005.html), [BID-103129](http://www.securityfocus.com/bid/103129), [SecurityTracker-1040417](http://www.securitytracker.com/id/1040417).
- collector/security-tracker-debian
- collector/debian-bugs
- alias/CVE-2018-7286
- collector/nvd-index
- agent/type
- agent/tags
- agent/severity
- agent/references
- agent/author
- agent/event
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- package-manager/debian
- vendor/digium
- canonical/digium asterisk
- version/digium asterisk/14.0.0
- version/digium asterisk/14.7.5
- version/digium asterisk/15.0.0
- version/digium asterisk/15.2.1
- version/digium asterisk/13.19.1
- canonical/digium certified asterisk
- version/digium certified asterisk/13.18
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0