CVE-2017-17090 in Asterisk
Summary
by MITRE
An issue was discovered in chan_skinny.c in Asterisk Open Source 13.18.2 and older, 14.7.2 and older, and 15.1.2 and older, and Certified Asterisk 13.13-cert7 and older. If the chan_skinny (aka SCCP protocol) channel driver is flooded with certain requests, it can cause the asterisk process to use excessive amounts of virtual memory, eventually causing asterisk to stop processing requests of any kind.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/24/2025
The vulnerability identified as CVE-2017-17090 represents a critical resource exhaustion flaw within the Asterisk Open Source telephony platform that affects multiple version branches including 13.x, 14.x, and 15.x releases. This issue specifically impacts the chan_skinny channel driver which implements the Skinny Client Control Protocol, a proprietary protocol developed by Cisco for communication between Cisco IP phones and call managers. The vulnerability manifests when the system receives an excessive volume of malformed or specially crafted requests that exploit a weakness in how the protocol handler processes incoming data, leading to uncontrolled memory consumption patterns that ultimately result in system failure.
The technical exploitation of this vulnerability occurs through a memory allocation flaw that allows attackers to send carefully constructed requests to the SCCP channel driver, causing the asterisk process to continuously allocate virtual memory without proper bounds checking or resource limits. This type of vulnerability maps directly to CWE-400, which specifically addresses "Uncontrolled Resource Consumption" or "Resource Exhaustion" conditions in software systems. The flaw essentially creates a denial of service scenario where legitimate system resources become consumed by malicious or malformed requests, leaving the telephony system unable to process any further legitimate calls or management operations.
The operational impact of this vulnerability extends beyond simple service disruption to encompass complete system paralysis of telephony infrastructure that relies on Asterisk for call handling and management. Organizations using affected versions of Asterisk that have SCCP protocol enabled become vulnerable to attacks that can bring their entire communication infrastructure to a halt, potentially affecting business operations, emergency services, and critical communication pathways. The vulnerability is particularly dangerous in enterprise environments where Asterisk serves as a core component of voice communication systems, as it can be exploited by remote attackers without authentication requirements to cause significant operational disruption.
Mitigation strategies for CVE-2017-17090 should prioritize immediate version upgrades to patched releases of Asterisk that contain fixes for the memory handling issues within the chan_skinny driver. Organizations should also implement network-level controls such as firewall rules and access control lists to restrict access to SCCP protocol ports, typically TCP 2000 and UDP 2000, thereby reducing the attack surface. Additionally, system administrators should consider implementing monitoring solutions that can detect unusual memory consumption patterns and establish automated alerts when resource usage exceeds normal operational thresholds. The ATT&CK framework categorizes this vulnerability under the T1499 sub-technique for "Network Denial of Service" as it exploits network protocol weaknesses to consume system resources and prevent legitimate service delivery.