Asterisk VoIP Bug Alert

Asterisk bugs have disclosed three vulnerabilities – two moderate and one critical.

18:00 06 September 2017

The worst of the three is a bug in the Realtime Transport Protocol (RTP) stack that exposes a system to information disclosure. The cause of the issue is a change to the system’s strict RTP implementation, designed to handle network issues more smoothly.

 

When packets go missing, the recipient issues a re-invite, forcing the system to work with packets out of order. A situation was found where media could be hijacked.

 

“If a flood of RTP traffic was received the strict RTP support would allow the new address to provide media and with symmetric RTP enabled outgoing traffic would be sent to this new address, allowing the media to be hijacked. Provided the attacker continued to send traffic they would continue to receive traffic as well.”

 

The other two moderate vulnerabilities are in the app-minivm “mini voicemail” module and the res_pjisp module in Asterisk’s Session Initiation Protocol (SIP) functions.

 

A crafted Uniform Resource Identifier (URI) in the From, To, or Contact fields can crash Asterisk Open Source 13.15.0 or 14.4.0; it's patched in version 13.17.1 or 14.6.1