Asterisk Security Team
2018-Feb-21 21:57 UTC
[asterisk-announce] AST-2018-001: Crash when receiving unnegotiated dynamic payload
Asterisk Project Security Advisory - AST-2018-001
Product Asterisk
Summary Crash when receiving unnegotiated dynamic payload
Nature of Advisory Remote Crash
Susceptibility Remote Unauthenticated Sessions
Severity Major
Exploits Known No
Reported On December 18, 2017
Reported By S??bastien Duthil
Posted On February 21, 2018
Last Updated On February 21, 2018
Advisory Contact Joshua Colp <jcolp AT digium DOT com>
CVE Name CVE-2018-7285
Description The RTP support in Asterisk maintains its own registry of
dynamic codecs and desired payload numbers. While an SDP
negotiation may result in a codec using a different payload
number these desired ones are still stored internally. When
an RTP packet was received this registry would be consulted
if the payload number was not found in the negotiated SDP.
This registry was incorrectly consulted for all packets,
even those which are dynamic. If the payload number
resulted in a codec of a different type than the RTP stream
(for example the payload number resulted in a video codec
but the stream carried audio) a crash could occur if no
stream of that type had been negotiated. This was due to
the code incorrectly assuming that a stream of the type
would always exist.
Resolution The RTP support will now only consult the registry for
payloads which are statically defined. The core has also
been changed to protect against situations where a frame of
media is received for a media type that has not been
negotiated.
To receive these fixes update to the given version of
Asterisk or apply the provided patch. There is no
configuration which can protect against this vulnerability.
Affected Versions
Product Release Series
Asterisk Open Source 13.x Unaffected
Asterisk Open Source 14.x Unaffected
Asterisk Open Source 15.x All versions
Certified Asterisk 13.18 Unaffected
Corrected In
Product Release
Asterisk Open Source 15.2.2
Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2018-001-15.diff Asterisk
15
Links https://issues.asterisk.org/jira/browse/ASTERISK-27488
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2018-001.pdf and
http://downloads.digium.com/pub/security/AST-2018-001.html
Revision History
Date Editor Revisions Made
January 15, 2018 Joshua Colp Initial Revision
February 21, 2018 Joshua Colp Added CVE
Asterisk Project Security Advisory - AST-2018-001
Copyright ?? 2018 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
Maybe Matching Threads
- Asterisk 13.19.2, 14.7.6, 15.2.2 and 13.18-cert3 Now Available (Security)
- AST-2018-004: Crash when receiving SUBSCRIBE request
- Asterisk 15.3.0 Now Available
- AST-2018-006: WebSocket frames with 0 sized payload causes DoS
- AST-2018-002: Crash when given an invalid SDP media format description
Wisdom of the Ancients
