Asterisk Security Team
2016-Sep-08 20:52 UTC
[asterisk-announce] AST-2016-007: RTP Resource Exhaustion
Asterisk Project Security Advisory - AST-2016-007 Product Asterisk Summary RTP Resource Exhaustion Nature of Advisory Denial of Service Susceptibility Remote Authenticated Sessions Severity Moderate Exploits Known No Reported On August 5, 2016 Reported By Etienne Lessard Posted On Last Updated On September 8, 2016 Advisory Contact Joshua Colp <jcolp AT digium DOT com> CVE Name Description The overlap dialing feature in chan_sip allows chan_sip to report to a device that the number that has been dialed is incomplete and more digits are required. If this functionality is used with a device that has performed username/password authentication RTP resources are leaked. This occurs because the code fails to release the old RTP resources before allocating new ones in this scenario. If all resources are used then RTP port exhaustion will occur and no RTP sessions are able to be set up. Resolution If overlap dialing support is not needed the ???allowoverlap??? option can be set to no. This will stop any usage of the scenario which causes the resource exhaustion. If overlap dialing support is needed a change has been made so that existing RTP resources are destroyed in this scenario before allocating new resources. Affected Versions Product Release Series Asterisk Open Source 11.x All Versions Asterisk Open Source 13.x All Versions Certified Asterisk 11.6 All Versions Certified Asterisk 13.8 All Versions Corrected In Product Release Asterisk Open Source 11.23.1, 13.11.1 Certified Asterisk 11.6-cert15, 13.8-cert3 Patches SVN URL Revision Links https://issues.asterisk.org/jira/browse/ASTERISK-26272 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2016-007.pdf and http://downloads.digium.com/pub/security/AST-2016-007.html Revision History Date Editor Revisions Made August 23, 2016 Joshua Colp Initial creation Asterisk Project Security Advisory - AST-2016-007 Copyright ?? 2016 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.
Reasonably Related Threads
- AST-2014-007: Exhaustion of Allowed Concurrent HTTP Connections
- AST-2014-007: Exhaustion of Allowed Concurrent HTTP Connections
- AST-2016-002: File descriptor exhaustion in chan_sip
- AST-2016-007: UPDATE
- Upgrading to Asterisk 13 - Strange Music On Hold Issue - Banging my head on this one