Vulnerabilities > CVE-2018-7287 - Improper Check for Unusual or Exceptional Conditions vulnerability in Digium Asterisk

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
digium
CWE-754
nessus

Summary

An issue was discovered in res_http_websocket.c in Asterisk 15.x through 15.2.1. If the HTTP server is enabled (default is disabled), WebSocket payloads of size 0 are mishandled (with a busy loop).

Nessus

  • NASL familyMisc.
    NASL idASTERISK_AST_2018_001-006.NASL
    descriptionAccording to its SIP banner, the version of Asterisk running on the remote host is 15.x prior to 15.2.2. It is therefore, affected by multiple vulnerabilities as described in AST-2018-001, AST-2018-002, AST-2018-003, AST-2018-004, AST-2018-005, & AST-2018-006 advisories. Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id107100
    published2018-03-02
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107100
    titleAsterisk 15.x < 15.2.2 Multiple Vulnerabilities (AST-2018-001 - AST-2018-006)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(107100);
      script_version("1.6");
      script_cvs_date("Date: 2019/11/08");
    
      script_cve_id(
        "CVE-2018-7284",
        "CVE-2018-7285",
        "CVE-2018-7286",
        "CVE-2018-7287"
      );
      script_bugtraq_id(
        103120,
        103129,
        103149,
        103151
      );
    
      script_name(english:"Asterisk 15.x < 15.2.2 Multiple Vulnerabilities (AST-2018-001 - AST-2018-006)");
      script_summary(english:"Checks the version in the SIP banner.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A telephony application running on the remote host is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its SIP banner, the version of Asterisk running on the
    remote host is 15.x prior to 15.2.2. It is therefore, affected by
    multiple vulnerabilities as described in AST-2018-001, 
    AST-2018-002, AST-2018-003, AST-2018-004, AST-2018-005,
    & AST-2018-006 advisories.
    
    Note that Nessus has not tested for these issues but has instead
    relied only on the application's self-reported version number.");
      script_set_attribute(attribute:"see_also", value:"http://downloads.asterisk.org/pub/security/AST-2018-001.html");
      script_set_attribute(attribute:"see_also", value:"http://downloads.asterisk.org/pub/security/AST-2018-002.html");
      script_set_attribute(attribute:"see_also", value:"http://downloads.asterisk.org/pub/security/AST-2018-003.html");
      script_set_attribute(attribute:"see_also", value:"http://downloads.asterisk.org/pub/security/AST-2018-004.html");
      script_set_attribute(attribute:"see_also", value:"http://downloads.asterisk.org/pub/security/AST-2018-005.html");
      script_set_attribute(attribute:"see_also", value:"http://downloads.asterisk.org/pub/security/AST-2018-006.html");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Asterisk version 15.2.2 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-7285");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/02/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/02");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:digium:asterisk");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("asterisk_detection.nasl");
      script_require_keys("asterisk/sip_detected", "Settings/ParanoidReport");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("asterisk/sip_detected");
    
    asterisk_kbs = get_kb_list_or_exit("sip/asterisk/*/version");
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    is_vuln = FALSE;
    not_vuln_installs = make_list();
    errors = make_list();
    
    foreach kb_name (keys(asterisk_kbs))
    {
      vulnerable = 0;
    
      matches = pregmatch(pattern:"/(udp|tcp)/([0-9]+)/version", string:kb_name);
      if (isnull(matches))
      {
        errors = make_list(errors, "Unexpected error parsing port number from '"+kb_name+"'.");
        continue;
      }
    
      proto = matches[1];
      port  = matches[2];
      version = asterisk_kbs[kb_name];
    
      if (version == 'unknown')
      {
        errors = make_list(errors, "Unable to obtain version of installation on " + proto + "/" + port + ".");
        continue;
      }
    
      banner = get_kb_item("sip/asterisk/" + proto + "/" + port + "/source");
      if (!banner)
      {
        # We have version but banner is missing;
        # log error and use in version-check though.
        errors = make_list(errors, "KB item 'sip/asterisk/" + proto + "/" + port + "/source' is missing.");
        banner = 'unknown';
      }
    
      if (version =~ "^15([^0-9])" && "cert" >!< tolower(version))
      {
        fixed = "15.2.2";
        vulnerable = ver_compare(ver:version, fix:fixed, app:"asterisk");
      }
    
      if (vulnerable < 0)
      {
        is_vuln = TRUE;
        report =
            '\n  Version source    : ' + banner +
            '\n  Installed version : ' + version +
            '\n  Fixed version     : ' + fixed +
            '\n';
          security_report_v4(severity:SECURITY_WARNING, port:port, proto:proto, extra:report);
      }
      else not_vuln_installs = make_list(not_vuln_installs, version + " on port " + proto + "/" + port);
    }
    
    if (max_index(errors))
    {
      if (max_index(errors) == 1) errmsg = errors[0];
      else errmsg = 'Errors were encountered verifying installations : \n  ' + join(errors, sep:'\n  ');
    
      exit(1, errmsg);
    }
    else
    {
      installs = max_index(not_vuln_installs);
      if (installs == 0)
      {
        if (is_vuln) exit(0);
        else audit(AUDIT_NOT_INST, "Asterisk");
      }
      else audit(AUDIT_INST_VER_NOT_VULN, "Asterisk", not_vuln_installs);
    }
    
  • NASL familyMisc.
    NASL idASTERISK_AST_2018_006.NASL
    descriptionAccording to its SIP banner, the version of Asterisk running on the remote host is 15.x prior to 15.2.2. It is therefore, affected by a denial of service vulnerability as described in AST-2018-006 advisory. Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id110568
    published2018-06-15
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110568
    titleAsterisk 15.x < 15.2.2 Denial of Service Vulnerability (AST-2018-006)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110568);
      script_version("1.4");
      script_cvs_date("Date: 2019/11/04");
    
      script_cve_id("CVE-2018-7287");
    
      script_name(english:"Asterisk 15.x < 15.2.2 Denial of Service Vulnerability (AST-2018-006)");
      script_summary(english:"Checks the version in the SIP banner.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A telephony application running on the remote host is affected by
    a denial of service vulnerability.");
      script_set_attribute(attribute:"description", value:
    "According to its SIP banner, the version of Asterisk running on the
    remote host is 15.x prior to 15.2.2. It is therefore, affected by
    a denial of service vulnerability as described in AST-2018-006 
    advisory.
    
    Note that Nessus has not tested for these issues but has instead
    relied only on the application's self-reported version number.");
      script_set_attribute(attribute:"see_also", value:"http://downloads.asterisk.org/pub/security/AST-2018-006.html");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Asterisk version 15.2.2 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-7287");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/05");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/02/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/15");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:digium:asterisk");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("asterisk_detection.nasl");
      script_require_keys("asterisk/sip_detected", "Settings/ParanoidReport");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("asterisk/sip_detected");
    
    asterisk_kbs = get_kb_list_or_exit("sip/asterisk/*/version");
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    is_vuln = FALSE;
    not_vuln_installs = make_list();
    errors = make_list();
    
    foreach kb_name (keys(asterisk_kbs))
    {
      vulnerable = 0;
    
      matches = pregmatch(pattern:"/(udp|tcp)/([0-9]+)/version", string:kb_name);
      if (isnull(matches))
      {
        errors = make_list(errors, "Unexpected error parsing port number from '"+kb_name+"'.");
        continue;
      }
    
      proto = matches[1];
      port  = matches[2];
      version = asterisk_kbs[kb_name];
    
      if (version == 'unknown')
      {
        errors = make_list(errors, "Unable to obtain version of installation on " + proto + "/" + port + ".");
        continue;
      }
    
      banner = get_kb_item("sip/asterisk/" + proto + "/" + port + "/source");
      if (!banner)
      {
        # We have version but banner is missing;
        # log error and use in version-check though.
        errors = make_list(errors, "KB item 'sip/asterisk/" + proto + "/" + port + "/source' is missing.");
        banner = 'unknown';
      }
    
      if (version =~ "^15([^0-9])" && "cert" >!< tolower(version))
      {
        fixed = "15.2.2";
        vulnerable = ver_compare(ver:version, fix:fixed, app:"asterisk");
      }
    
      if (vulnerable < 0)
      {
        is_vuln = TRUE;
        report =
            '\n  Version source    : ' + banner +
            '\n  Installed version : ' + version +
            '\n  Fixed version     : ' + fixed +
            '\n';
          security_report_v4(severity:SECURITY_WARNING, port:port, proto:proto, extra:report);
      }
      else not_vuln_installs = make_list(not_vuln_installs, version + " on port " + proto + "/" + port);
    }
    
    if (max_index(errors))
    {
      if (max_index(errors) == 1) errmsg = errors[0];
      else errmsg = 'Errors were encountered verifying installations : \n  ' + join(errors, sep:'\n  ');
    
      exit(1, errmsg);
    }
    else
    {
      installs = max_index(not_vuln_installs);
      if (installs == 0)
      {
        if (is_vuln) exit(0);
        else audit(AUDIT_NOT_INST, "Asterisk");
      }
      else audit(AUDIT_INST_VER_NOT_VULN, "Asterisk", not_vuln_installs);
    }