CVE-2018-19278

Summary

CVE	CVE-2018-19278
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2018-11-14 20:29:00 UTC
Updated	2018-12-30 00:35:00 UTC
Description	Buffer overflow in DNS SRV and NAPTR lookups in Digium Asterisk 15.x before 15.6.2 and 16.x before 16.0.1 allows remote attackers to crash Asterisk via a specially crafted DNS SRV or NAPTR response, because a buffer size is supposed to match an expanded length but actually matches a compressed length.

Risk And Classification

Problem Types: CWE-119

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Digium	Asterisk	15.0.0	All	All	All
Application	Digium	Asterisk	15.0.0	b1	All	All
Application	Digium	Asterisk	15.0.0	rc1	All	All
Application	Digium	Asterisk	15.1.0	All	All	All
Application	Digium	Asterisk	15.1.0	rc1	All	All
Application	Digium	Asterisk	15.1.0	rc2	All	All
Application	Digium	Asterisk	15.1.2	All	All	All
Application	Digium	Asterisk	15.1.3	All	All	All
Application	Digium	Asterisk	15.1.4	All	All	All
Application	Digium	Asterisk	15.1.5	All	All	All
Application	Digium	Asterisk	15.2.0	rc1	All	All
Application	Digium	Asterisk	15.2.0	rc2	All	All
Application	Digium	Asterisk	15.2.1	All	All	All
Application	Digium	Asterisk	15.2.2	All	All	All
Application	Digium	Asterisk	15.3.0	All	All	All
Application	Digium	Asterisk	15.3.0	rc1	All	All
Application	Digium	Asterisk	15.3.0	rc2	All	All
Application	Digium	Asterisk	15.4.0	All	All	All
Application	Digium	Asterisk	15.4.0	rc1	All	All
Application	Digium	Asterisk	15.4.0	rc2	All	All
Application	Digium	Asterisk	15.4.1	All	All	All
Application	Digium	Asterisk	15.5.0	All	All	All
Application	Digium	Asterisk	15.5.0	rc1	All	All
Application	Digium	Asterisk	15.6.0	All	All	All
Application	Digium	Asterisk	15.6.0	rc1	All	All
Application	Digium	Asterisk	15.6.1	All	All	All
Application	Digium	Asterisk	16.0.0	All	All	All
Application	Digium	Asterisk	16.0.0	rc2	All	All
Application	Digium	Asterisk	16.0.0	rc3	All	All
Application	Digium	Asterisk	16.0.1	rc1	All	All
Application	Digium	Asterisk	15.0.0	All	All	All
Application	Digium	Asterisk	15.0.0	b1	All	All
Application	Digium	Asterisk	15.0.0	rc1	All	All
Application	Digium	Asterisk	15.1.0	All	All	All
Application	Digium	Asterisk	15.1.0	rc1	All	All
Application	Digium	Asterisk	15.1.0	rc2	All	All
Application	Digium	Asterisk	15.1.2	All	All	All
Application	Digium	Asterisk	15.1.3	All	All	All
Application	Digium	Asterisk	15.1.4	All	All	All
Application	Digium	Asterisk	15.1.5	All	All	All
Application	Digium	Asterisk	15.2.0	rc1	All	All
Application	Digium	Asterisk	15.2.0	rc2	All	All
Application	Digium	Asterisk	15.2.1	All	All	All
Application	Digium	Asterisk	15.2.2	All	All	All
Application	Digium	Asterisk	15.3.0	All	All	All
Application	Digium	Asterisk	15.3.0	rc1	All	All
Application	Digium	Asterisk	15.3.0	rc2	All	All
Application	Digium	Asterisk	15.4.0	All	All	All
Application	Digium	Asterisk	15.4.0	rc1	All	All
Application	Digium	Asterisk	15.4.0	rc2	All	All
Application	Digium	Asterisk	15.4.1	All	All	All
Application	Digium	Asterisk	15.5.0	All	All	All
Application	Digium	Asterisk	15.5.0	rc1	All	All
Application	Digium	Asterisk	15.6.0	All	All	All
Application	Digium	Asterisk	15.6.0	rc1	All	All
Application	Digium	Asterisk	15.6.1	All	All	All
Application	Digium	Asterisk	16.0.0	All	All	All
Application	Digium	Asterisk	16.0.0	rc2	All	All
Application	Digium	Asterisk	16.0.0	rc3	All	All
Application	Digium	Asterisk	16.0.1	rc1	All	All

References

Reference	Source	Link	Tags
AST-2018-010	MISC	downloads.asterisk.org	Patch, Vendor Advisory
[ASTERISK-28127] Buffer overflow for DNS SRV/NAPTR records - Digium/Asterisk JIRA	MISC	issues.asterisk.org	Exploit, Vendor Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

500032 Alpine Linux Security Update for asterisk
503720 Alpine Linux Security Update for asterisk