CVE-2017-17090

Published: Dec 2, 2017Modified: May 13, 2026

7.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

An issue was discovered in chan_skinny.c in Asterisk Open Source 13.18.2 and older, 14.7.2 and older, and 15.1.2 and older, and Certified Asterisk 13.13-cert7 and older. If the chan_skinny (aka SCCP protocol) channel driver is flooded with certain requests, it can cause the asterisk process to use excessive amounts of virtual memory, eventually causing asterisk to stop processing requests of any kind.

Affected (15)

Products: Digium: Certified Asterisk, Asterisk

2 products

Certified Asterisk

Configuration A

12 vulnerable

Vulnerable Software	Affected Versions
Digium Certified Asterisk	Up to 13.13
Digium Certified Asterisk	Version 13.13 cert1
Digium Certified Asterisk	Version 13.13 cert1_rc1
Digium Certified Asterisk	Version 13.13 cert1_rc2
Digium Certified Asterisk	Version 13.13 cert1_rc3
Digium Certified Asterisk	Version 13.13 cert1_rc4
Digium Certified Asterisk	Version 13.13 cert2
Digium Certified Asterisk	Version 13.13 cert3
Digium Certified Asterisk	Version 13.13 cert4
Digium Certified Asterisk	Version 13.13 cert5
Digium Certified Asterisk	Version 13.13 cert6
Digium Certified Asterisk	Version 13.13 cert7

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Digium Asterisk	Up to 13.8.2

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Digium Asterisk	Up to 14.7.2

Configuration D

1 vulnerable

Vulnerable Software	Affected Versions
Digium Asterisk	Up to 15.1.2

Related CWEs

Incomplete Cleanup

The product does not properly "clean up" and remove temporary or supporting resources after they have been used.

References (14)

http://downloads.digium.com/pub/security/AST-2017-013.html

Source: cve@mitre.org

Vendor Advisory

http://www.securityfocus.com/bid/102023

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1039948

Source: cve@mitre.org

https://issues.asterisk.org/jira/browse/ASTERISK-27452

Source: cve@mitre.org

Issue TrackingVendor Advisory

https://lists.debian.org/debian-lts-announce/2017/12/msg00028.html

Source: cve@mitre.org

https://www.debian.org/security/2017/dsa-4076

Source: cve@mitre.org

https://www.exploit-db.com/exploits/43992/

Source: cve@mitre.org

http://downloads.digium.com/pub/security/AST-2017-013.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://www.securityfocus.com/bid/102023

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1039948

Source: af854a3a-2127-422b-91ae-364da2661108

https://issues.asterisk.org/jira/browse/ASTERISK-27452

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

https://lists.debian.org/debian-lts-announce/2017/12/msg00028.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.debian.org/security/2017/dsa-4076

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.exploit-db.com/exploits/43992/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.