Asterisk Project Security Advisory - AST-2021-003

Product

Asterisk

Summary

Remote attacker could prematurely tear down SRTP calls

Nature of Advisory

Denial of Service

Susceptibility

Remote unauthenticated sessions

Severity

Moderate

Exploits Known

No

Reported On

January 22, 2021

Reported By

Alexander Traud

Posted On


Last Updated On

February 18, 2021

Advisory Contact

gjoseph AT sangoma DOT com

CVE Name

CVE-2021-26712



Description

An unauthenticated remote attacker could replay SRTP packets which could cause an Asterisk instance configured without strict RTP validation to tear down calls prematurely.

Modules Affected

res_srtp.c res_rtp_asterisk.c


Resolution

Asterisk now implements SRTP replay protection via a “srtpreplayprotection” option in rtp.conf. The default is “yes”


Affected Versions

Product

Release Series


Asterisk Open Source

13.x

13.38.1

Asterisk Open Source

16.x

16.16.0

Asterisk Open Source

17.x

17.9.1

Asterisk Open Source

18.x

18.2.0

Certified Asterisk

16.x

16.8-cert5


Corrected In

Product

Release

Asterisk Open Source

13.38.2, 16.16.1, 17.9.2, 18.2.1

Certified Asterisk

16.8-cert6




Patches

Patch URL

Revision

https:/downloads.asterisk.org/pub/security/AST-2021-003-13.diff

13.38.2

https:/downloads.asterisk.org/pub/security/AST-2021-003-16.diff

16.16.1

https:/downloads.asterisk.org/pub/security/AST-2021-003-17.diff

17.9.2

https:/downloads.asterisk.org/pub/security/AST-2021-003-18.diff

18.2.1

https:/downloads.asterisk.org/pub/security/AST-2021-003-16.8.diff

Certified Asterisk 16.8-cert6



Links

https://issues.asterisk.org/jira/browse/ASTERISK-29260

https://downloads.asterisk.org/pub/security/AST-2021-003.html


Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2021-003.pdf and https://downloads.digium.com/pub/security/AST-2021-003.html


Revision History

Date

Editor

Revisions Made

February 4, 2021

George Joseph

Initial

February 5, 2021

George Joseph

Added CVE ID


Asterisk Project Security Advisory - AST-2021-003
Copyright © 2021 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.