CVE-2017-14099

02.09.2017, 16:29

In res/res_rtp_asterisk.c in Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized data disclosure (media takeover in the RTP stack) is possible with careful timing by an attacker. The "strictrtp" option in rtp.conf enables a feature of the RTP stack that learns the source address of media for a session and drops any packets that do not originate from the expected address. This option is enabled by default in Asterisk 11 and above. The "nat" and "rtp_symmetric" options (for chan_sip and chan_pjsip, respectively) enable symmetric RTP support in the RTP stack. This uses the source address of incoming media as the target address of any sent media. This option is not enabled by default, but is commonly enabled to handle devices behind NAT. A change was made to the strict RTP support in the RTP stack to better tolerate late media when a reinvite occurs. When combined with the symmetric RTP support, this introduced an avenue where media could be hijacked. Instead of only learning a new address when expected, the new code allowed a new source address to be learned at all times. If a flood of RTP traffic was received, the strict RTP support would allow the new address to provide media, and (with symmetric RTP enabled) outgoing traffic would be sent to this new address, allowing the media to be hijacked. Provided the attacker continued to send traffic, they would continue to receive traffic as well.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 57%

Vendor	Product	Version
digium	asterisk	13.0.0
digium	asterisk	13.0.0:beta1
digium	asterisk	13.0.0:beta2
digium	asterisk	13.0.0:beta3
digium	asterisk	13.0.1
digium	asterisk	13.0.2
digium	asterisk	13.1.0
digium	asterisk	13.1.0:rc1
digium	asterisk	13.1.0:rc2
digium	asterisk	13.1.1
digium	asterisk	13.2.0
digium	asterisk	13.2.0:rc1
digium	asterisk	13.2.1
digium	asterisk	13.3.0:rc1
digium	asterisk	13.3.2
digium	asterisk	13.4.0
digium	asterisk	13.4.0:rc1
digium	asterisk	13.5.0
digium	asterisk	13.5.0:rc1
digium	asterisk	13.6.0:rc1
digium	asterisk	13.7.0:rc1
digium	asterisk	13.7.0:rc2
digium	asterisk	13.7.1
digium	asterisk	13.7.2
digium	asterisk	13.8.0
digium	asterisk	13.8.0:rc1
digium	asterisk	13.8.1
digium	asterisk	13.8.2
digium	asterisk	13.9.0
digium	asterisk	13.9.1
digium	asterisk	13.10.0
digium	asterisk	13.10.0:rc1
digium	asterisk	13.11.0
digium	asterisk	13.11.1
digium	asterisk	13.11.2
digium	asterisk	13.12
digium	asterisk	13.12.0
digium	asterisk	13.12.1
digium	asterisk	13.12.2
digium	asterisk	13.13
digium	asterisk	13.13.0
digium	asterisk	13.13.1
digium	asterisk	13.14.0
digium	asterisk	13.14.0:rc1
digium	asterisk	13.14.0:rc2
digium	asterisk	13.14.1
digium	asterisk	13.15.0
digium	asterisk	13.15.0:rc1
digium	asterisk	13.15.0:rc2
digium	asterisk	13.15.0:rc3
digium	asterisk	13.15.1
digium	asterisk	13.16.0
digium	asterisk	13.16.0:rc1
digium	asterisk	13.16.0:rc2
digium	asterisk	13.17.0
digium	asterisk	13.17.0:rc1
digium	asterisk	14.0
digium	asterisk	14.0.0
digium	asterisk	14.0.0:beta1
digium	asterisk	14.0.0:beta2
digium	asterisk	14.0.0:rc1
digium	asterisk	14.0.0:rc2
digium	asterisk	14.0.1
digium	asterisk	14.0.2
digium	asterisk	14.1
digium	asterisk	14.01
digium	asterisk	14.1.0
digium	asterisk	14.1.1
digium	asterisk	14.1.2
digium	asterisk	14.02
digium	asterisk	14.2
digium	asterisk	14.2.0
digium	asterisk	14.2.1
digium	asterisk	14.3.0
digium	asterisk	14.3.0:rc1
digium	asterisk	14.3.0:rc2
digium	asterisk	14.3.1
digium	asterisk	14.4.0
digium	asterisk	14.4.0:rc1
digium	asterisk	14.4.0:rc2
digium	asterisk	14.4.0:rc3
digium	asterisk	14.4.1
digium	asterisk	14.5.0
digium	asterisk	14.5.0:rc1
digium	asterisk	14.5.0:rc2
digium	asterisk	14.6.0
digium	asterisk	14.6.0:rc1
digium	asterisk	11.0.0
digium	asterisk	11.0.0:beta1
digium	asterisk	11.0.0:beta2
digium	asterisk	11.0.0:rc1
digium	asterisk	11.0.0:rc2
digium	asterisk	11.0.1
digium	asterisk	11.0.2
digium	asterisk	11.1.0
digium	asterisk	11.1.0:rc1
digium	asterisk	11.1.0:rc2
digium	asterisk	11.1.0:rc3
digium	asterisk	11.1.1
digium	asterisk	11.1.2
digium	asterisk	11.2.0:rc1
digium	asterisk	11.2.1
digium	asterisk	11.2.2
digium	asterisk	11.4.0:rc4
digium	asterisk	11.6.0
digium	asterisk	11.6.0:rc1
digium	asterisk	11.6.0:rc2
digium	asterisk	11.6.1
digium	asterisk	11.7.0
digium	asterisk	11.7.0:rc1
digium	asterisk	11.7.0:rc2
digium	asterisk	11.8.0
digium	asterisk	11.8.0:rc1
digium	asterisk	11.8.0:rc2
digium	asterisk	11.8.0:rc3
digium	asterisk	11.8.1
digium	asterisk	11.9.0
digium	asterisk	11.9.0:rc1
digium	asterisk	11.9.0:rc2
digium	asterisk	11.9.0:rc3
digium	asterisk	11.10.0
digium	asterisk	11.10.0:rc1
digium	asterisk	11.10.1
digium	asterisk	11.10.1:rc1
digium	asterisk	11.10.2
digium	asterisk	11.11.0
digium	asterisk	11.11.0:rc1
digium	asterisk	11.12.0
digium	asterisk	11.12.0:rc1
digium	asterisk	11.12.1
digium	asterisk	11.13.0
digium	asterisk	11.13.0:rc1
digium	asterisk	11.13.1
digium	asterisk	11.14.0
digium	asterisk	11.14.0:rc1
digium	asterisk	11.14.0:rc2
digium	asterisk	11.14.1
digium	asterisk	11.14.2
digium	asterisk	11.15.0:rc1
digium	asterisk	11.15.0:rc2
digium	asterisk	11.15.1
digium	asterisk	11.16.0:rc1
digium	asterisk	11.17.0:rc1
digium	asterisk	11.17.1
digium	asterisk	11.18.0
digium	asterisk	11.18.0:rc1
digium	asterisk	11.19.0:rc1
digium	asterisk	11.20.0:rc1
digium	asterisk	11.21.0:rc1
digium	asterisk	11.21.0:rc2
digium	asterisk	11.21.1
digium	asterisk	11.21.2
digium	asterisk	11.22.0
digium	asterisk	11.22.0:rc1
digium	asterisk	11.23.0
digium	asterisk	11.23.0:rc1
digium	asterisk	11.23.1
digium	asterisk	11.24.0
digium	asterisk	11.24.1
digium	asterisk	11.25.0
digium	asterisk	11.25.1
digium	certified_asterisk	11.6:cert1
digium	certified_asterisk	11.6:cert1_rc1
digium	certified_asterisk	11.6:cert1_rc2
digium	certified_asterisk	11.6:cert10
digium	certified_asterisk	11.6:cert11
digium	certified_asterisk	11.6:cert12
digium	certified_asterisk	11.6:cert13
digium	certified_asterisk	11.6:cert14
digium	certified_asterisk	11.6:cert14_rc1
digium	certified_asterisk	11.6:cert14_rc2
digium	certified_asterisk	11.6:cert15
digium	certified_asterisk	11.6:cert16
digium	certified_asterisk	11.6:cert2
digium	certified_asterisk	11.6:cert3
digium	certified_asterisk	11.6:cert4
digium	certified_asterisk	11.6:cert5
digium	certified_asterisk	11.6:cert6
digium	certified_asterisk	11.6:cert7
digium	certified_asterisk	11.6:cert8
digium	certified_asterisk	11.6:cert9
digium	certified_asterisk	13.13:cert1
digium	certified_asterisk	13.13:cert1_rc1
digium	certified_asterisk	13.13:cert1_rc2
digium	certified_asterisk	13.13:cert1_rc3
digium	certified_asterisk	13.13:cert1_rc4
digium	certified_asterisk	13.13:cert2
digium	certified_asterisk	13.13:cert3
digium	certified_asterisk	13.13:cert4

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

asterisk

bullseye	1:16.28.0~dfsg-0+deb11u4 fixed
wheezy	ignored
bullseye (security)	1:16.28.0~dfsg-0+deb11u5 fixed
sid	1:22.0.0~dfsg+~cs6.14.60671435-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

asterisk

noble	not-affected
mantic	not-affected
lunar	not-affected
kinetic	not-affected
jammy	not-affected
impish	not-affected
hirsute	not-affected
groovy	not-affected
focal	not-affected
eoan	not-affected
disco	not-affected
cosmic	not-affected
bionic	not-affected
artful	not-affected
zesty	ignored
xenial	needed
trusty	dne

Common Weakness Enumeration

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

http://downloads.asterisk.org/pub/security/AST-2017-005.html

http://www.debian.org/security/2017/dsa-3964

http://www.securitytracker.com/id/1039251

https://bugs.debian.org/873907

https://issues.asterisk.org/jira/browse/ASTERISK-27013

https://rtpbleed.com