CVE-2021-37706

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all users that use STUN. A malicious actor located within the victims network may forge and send a specially crafted UDP (STUN) message that could remotely execute arbitrary code on the victims machine. Users are advised to upgrade as soon as possible. There are no known workarounds.
Wrap or Wraparound
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.3 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
GitHub_MCNA
7.3 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 30%
VendorProductVersion
teluupjsip
𝑥
≤ 2.11.1
asteriskcertified_asterisk
𝑥
< 16.8.0
asteriskcertified_asterisk
16.8.0
asteriskcertified_asterisk
16.8.0:cert1
asteriskcertified_asterisk
16.8.0:cert10
asteriskcertified_asterisk
16.8.0:cert11
asteriskcertified_asterisk
16.8.0:cert12
asteriskcertified_asterisk
16.8.0:cert2
asteriskcertified_asterisk
16.8.0:cert3
asteriskcertified_asterisk
16.8.0:cert4
asteriskcertified_asterisk
16.8.0:cert5
asteriskcertified_asterisk
16.8.0:cert6
asteriskcertified_asterisk
16.8.0:cert7
asteriskcertified_asterisk
16.8.0:cert8
asteriskcertified_asterisk
16.8.0:cert9
sangomaasterisk
16.0.0 ≤
𝑥
< 16.24.1
sangomaasterisk
18.0.0 ≤
𝑥
< 18.10.1
sangomaasterisk
19.0.0 ≤
𝑥
< 19.2.1
debiandebian_linux
9.0
debiandebian_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
asterisk
bullseye
1:16.28.0~dfsg-0+deb11u4
fixed
stretch
not-affected
bullseye (security)
1:16.28.0~dfsg-0+deb11u5
fixed
sid
1:22.0.0~dfsg+~cs6.14.60671435-1
fixed
ring
bullseye
vulnerable
stretch
not-affected
bullseye (security)
20210112.2.b757bac~ds1-1+deb11u1
fixed
bookworm
20230206.0~ds2-1.1
fixed
sid
20231201.0~ds1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
pjproject
bionic
needs-triage
xenial
needs-triage
trusty
ignored
ring
noble
dne
mantic
Fixed 20230206.0~ds2-1.3ubuntu0.1
released
lunar
Fixed 20230206.0~ds1-5ubuntu0.1
released
impish
ignored
focal
Fixed 20190215.1.f152c98~ds1-1+deb10u2build0.20.04.1
released
bionic
Fixed 20180228.1.503da2b~ds1-1ubuntu0.1~esm1
released
xenial
ignored
trusty
ignored
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/166225/Asterisk-Project-Security-Advisory-AST-2022-004.html
http://seclists.org/fulldisclosure/2022/Mar/0
https://github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865
https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984
https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html
https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
https://security.gentoo.org/glsa/202210-37
https://www.debian.org/security/2022/dsa-5285
http://packetstormsecurity.com/files/166225/Asterisk-Project-Security-Advisory-AST-2022-004.html
http://seclists.org/fulldisclosure/2022/Mar/0
https://github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865
https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984
https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html
https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
https://security.gentoo.org/glsa/202210-37
https://www.debian.org/security/2022/dsa-5285