Candidate: CVE-2017-7617 PublicDate: 2017-04-10 14:59:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7617 http://downloads.asterisk.org/pub/security/AST-2017-001.html https://bugs.debian.org/859910 Description: Remote code execution can occur in Asterisk Open Source 13.x before 13.14.1 and 14.x before 14.3.1 and Certified Asterisk 13.13 before 13.13-cert3 because of a buffer overflow in a CDR user field, related to X-ClientCode in chan_sip, the CDR dialplan function, and the AMI Monitor action. Ubuntu-Description: Alex Villacis Lasso discovered that asterisk did not properly check the length of certain input. A remote attacker could use this vulnerability to cause a denial of service (crash) or potentially execute arbitrary code. Notes: Bugs: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859910 Priority: medium Discovered-by: Alex Villacis Lasso Assigned-to: CVSS: nvd: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [8.8 HIGH] Patches_asterisk: upstream: http://downloads.asterisk.org/pub/security/AST-2017-001-13.diff upstream_asterisk: released (1:13.14.1~dfsg-1) precise_asterisk: ignored (reached end-of-life) precise/esm_asterisk: DNE (precise was needed) trusty_asterisk: ignored (reached end-of-life) trusty/esm_asterisk: DNE (trusty was not-affected [code not present]) vivid/stable-phone-overlay_asterisk: DNE vivid/ubuntu-core_asterisk: DNE xenial_asterisk: ignored (end of standard support, was needed) yakkety_asterisk: ignored (reached end-of-life) zesty_asterisk: ignored (reached end-of-life) artful_asterisk: ignored (reached end-of-life) bionic_asterisk: not-affected (1:13.18.3~dfsg-1ubuntu4) cosmic_asterisk: not-affected (1:13.18.3~dfsg-1ubuntu4) disco_asterisk: not-affected (1:13.18.3~dfsg-1ubuntu4) eoan_asterisk: not-affected (1:13.18.3~dfsg-1ubuntu4) focal_asterisk: not-affected (1:13.18.3~dfsg-1ubuntu4) groovy_asterisk: not-affected (1:13.18.3~dfsg-1ubuntu4) hirsute_asterisk: not-affected (1:13.18.3~dfsg-1ubuntu4) impish_asterisk: not-affected (1:13.18.3~dfsg-1ubuntu4) jammy_asterisk: not-affected (1:13.18.3~dfsg-1ubuntu4) devel_asterisk: not-affected (1:13.18.3~dfsg-1ubuntu4)