Vulnerability Details : CVE-2017-17090
An issue was discovered in chan_skinny.c in Asterisk Open Source 13.18.2 and older, 14.7.2 and older, and 15.1.2 and older, and Certified Asterisk 13.13-cert7 and older. If the chan_skinny (aka SCCP protocol) channel driver is flooded with certain requests, it can cause the asterisk process to use excessive amounts of virtual memory, eventually causing asterisk to stop processing requests of any kind.
Products affected by CVE-2017-17090
- cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:*:*:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:13.13:cert1_rc1:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:13.13:cert1_rc3:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:13.13:cert1_rc4:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:13.13:cert2:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:13.13:cert3:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:13.13:cert4:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:13.13:cert1:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:13.13:cert1_rc2:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:13.13:cert5:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:13.13:cert6:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:13.13:cert7:*:*:*:*:*:*
Threat overview for CVE-2017-17090
Top countries where our scanners detected CVE-2017-17090
Top open port discovered on systems with this issue
80
IPs affected by CVE-2017-17090 25,107
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2017-17090!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2017-17090
46.31%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 98 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-17090
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2017-17090
-
The product does not properly "clean up" and remove temporary or supporting resources after they have been used.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-17090
-
https://www.exploit-db.com/exploits/43992/
Asterisk 13.17.2 - 'chan_skinny' Remote Memory Corruption
-
https://www.debian.org/security/2017/dsa-4076
Debian -- Security Information -- DSA-4076-1 asterisk
-
http://www.securityfocus.com/bid/102023
Asterisk 'chan_skinny' Remote Denial of Service VulnerabilityThird Party Advisory;VDB Entry
-
http://www.securitytracker.com/id/1039948
Asterisk chan_skinny Driver Bug Lets Remote Users Consume Excessive Memory Resources - SecurityTracker
-
http://downloads.digium.com/pub/security/AST-2017-013.html
AST-2017-013Vendor Advisory
-
https://lists.debian.org/debian-lts-announce/2017/12/msg00028.html
[SECURITY] [DLA 1225-1] asterisk security update
-
https://issues.asterisk.org/jira/browse/ASTERISK-27452
[ASTERISK-27452] Security: chan_skinny: Memory exhaustion if flooded with unauthenticated requests - Digium/Asterisk JIRAIssue Tracking;Vendor Advisory
Jump to