Asterisk Security Team
2021-Feb-18 17:37 UTC
[asterisk-announce] AST-2021-004: An unsuspecting user could crash Asterisk with multiple hold/unhold requests
Asterisk Project Security Advisory - AST-2021-004 Product Asterisk Summary An unsuspecting user could crash Asterisk with multiple hold/unhold requests Nature of Advisory Denial of Service Susceptibility Remote authenticated sessions Severity Moderate Exploits Known No Reported On December 9, 2020 Reported By Edvin Vidmar Posted On Last Updated On February 11, 2021 Advisory Contact gjoseph AT sangoma DOT com CVE Name CVE-2021-26714 Description Due to a signedness comparison mismatch, an authenticated WebRTC client could cause a stack overflow and Asterisk crash by sending multiple hold/unhold requests in quick succession. Modules Affected res_rtp_asterisk.c Resolution The packet size comparison terms have been corrected. Affected Versions Product Release Series Asterisk Open Source 16.x 16.16.0 Asterisk Open Source 17.x 17.9.1 Asterisk Open Source 18.x 18.2.0 Certified Asterisk 16.x 16.8-cert5 Corrected In Product Release Asterisk Open Source 16.16.1, 17.9.2, 18.2.1 Certified Asterisk 16.8-cert6 Patches Patch URL Revision https:/downloads.asterisk.org/pub/security/AST-2021-004-16.diff Asterisk 16 https:/downloads.asterisk.org/pub/security/AST-2021-004-17.diff Asterisk 17 https:/downloads.asterisk.org/pub/security/AST-2021-004-18.diff Asterisk 18 https:/downloads.asterisk.org/pub/security/AST-2021-004-16.8.diff Certified Asterisk 16.8-cert6 Links https://issues.asterisk.org/jira/browse/ASTERISK-29205 https://downloads.asterisk.org/pub/security/AST-2021-004.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2021-004.pdf and https://downloads.digium.com/pub/security/AST-2021-004.html Revision History Date Editor Revisions Made February 4, 2021 George Joseph Initial revision February 9, 2021 George Joseph Added CVE Asterisk Project Security Advisory - AST-2021-004 Copyright © 2021 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.