Asterisk Security Team
2018-Feb-21 21:57 UTC
[asterisk-announce] AST-2018-001: Crash when receiving unnegotiated dynamic payload
Asterisk Project Security Advisory - AST-2018-001 Product Asterisk Summary Crash when receiving unnegotiated dynamic payload Nature of Advisory Remote Crash Susceptibility Remote Unauthenticated Sessions Severity Major Exploits Known No Reported On December 18, 2017 Reported By S??bastien Duthil Posted On February 21, 2018 Last Updated On February 21, 2018 Advisory Contact Joshua Colp <jcolp AT digium DOT com> CVE Name CVE-2018-7285 Description The RTP support in Asterisk maintains its own registry of dynamic codecs and desired payload numbers. While an SDP negotiation may result in a codec using a different payload number these desired ones are still stored internally. When an RTP packet was received this registry would be consulted if the payload number was not found in the negotiated SDP. This registry was incorrectly consulted for all packets, even those which are dynamic. If the payload number resulted in a codec of a different type than the RTP stream (for example the payload number resulted in a video codec but the stream carried audio) a crash could occur if no stream of that type had been negotiated. This was due to the code incorrectly assuming that a stream of the type would always exist. Resolution The RTP support will now only consult the registry for payloads which are statically defined. The core has also been changed to protect against situations where a frame of media is received for a media type that has not been negotiated. To receive these fixes update to the given version of Asterisk or apply the provided patch. There is no configuration which can protect against this vulnerability. Affected Versions Product Release Series Asterisk Open Source 13.x Unaffected Asterisk Open Source 14.x Unaffected Asterisk Open Source 15.x All versions Certified Asterisk 13.18 Unaffected Corrected In Product Release Asterisk Open Source 15.2.2 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2018-001-15.diff Asterisk 15 Links https://issues.asterisk.org/jira/browse/ASTERISK-27488 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2018-001.pdf and http://downloads.digium.com/pub/security/AST-2018-001.html Revision History Date Editor Revisions Made January 15, 2018 Joshua Colp Initial Revision February 21, 2018 Joshua Colp Added CVE Asterisk Project Security Advisory - AST-2018-001 Copyright ?? 2018 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.
Apparently Analagous Threads
- Asterisk 13.19.2, 14.7.6, 15.2.2 and 13.18-cert3 Now Available (Security)
- AST-2018-004: Crash when receiving SUBSCRIBE request
- Asterisk 15.3.0 Now Available
- AST-2018-006: WebSocket frames with 0 sized payload causes DoS
- AST-2018-002: Crash when given an invalid SDP media format description