Asterisk Project Security Advisory - AST-2017-011

Product

Asterisk

Summary

Memory/File Descriptor/RTP leak in pjsip session resource

Nature of Advisory

Memory/File Descriptor/RTP Port leak

Susceptibility

Remote Sessions

Severity

Minor

Exploits Known

No

Reported On

October 15, 2017

Reported By

Correy Farrell

Posted On


Last Updated On

November 10, 2017

Advisory Contact

kharwell AT digium DOT com

CVE Name

CVE-2017-16672



Description

A memory leak occurs when an Asterisk pjsip session object is created and that call gets rejected before the session itself is fully established. When this happens the session object never gets destroyed. This then leads to file descriptors and RTP ports being leaked as well.


Resolution

Asterisk now releases the session object, and all associated memory (file descriptors and RTP ports) when a call gets rejected.


Affected Versions

Product

Release Series


Asterisk Open Source

13.x

13.5.0+

Asterisk Open Source

14.x

All Releases

Asterisk Open Source

15.x

All Releases

Certified Asterisk

13.13

All Releases


Corrected In

Product

Release

Asterisk Open Source

13.18.1, 14.7.1, 15.1.1

Certified Asterisk

13.13-cert7




Patches

SVN URL

Revision

http://downloads.asterisk.org/pub/security/AST-2017-011-13.diff

Asterisk 13

http://downloads.asterisk.org/pub/security/AST-2017-011-14.diff

Asterisk 14

http://downloads.asterisk.org/pub/security/AST-2017-011-15.diff

Asterisk 15

http://downloads.asterisk.org/pub/security/AST-2017-011-13.13.diff

Certified Asterisk 13.13



Links

https://issues.asterisk.org/jira/browse/ASTERISK-27345

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16672


Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2017-011.pdf and http://downloads.digium.com/pub/security/AST-2017-011.html


Revision History

Date

Editor

Revisions Made

October 19, 2017

Kevin Harwell

Initial Revision

November 8, 2017

Kevin Harwell

Updated to mention about FDs and RTP ports being leaked as well.


Asterisk Project Security Advisory - AST-2017-011
Copyright © 2017 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.