Admins of the popular IP telephony application Asterisk have a lovely end to the week ahead of them - there's two moderate vulnerabilities, and one critical mess, that need patches.
The worst of the three is this one: a bug in the Realtime Transport Protocol (RTP) stack that exposes a system to information disclosure.
The problem came about as a result of a change to the system's strict RTP implementation, designed to handle network issues more smoothly.
When packets go missing, the recipient issues a re-invite, so the system has to work with packets out of order. This has dependencies on various components of the RTP stack:
strictrtpwhich “learns the source address of media for a session and drops any packets that do not originate from the expected address;
- NAT and symmetrical RTP support, used to handle devices (like IP phones) behind network address translation (NAT) firewalls.
The maintainers found a situation where media could be hijacked:
“If a flood of RTP traffic was received the strict RTP support would allow the new address to provide media and with symmetric RTP enabled outgoing traffic would be sent to this new address, allowing the media to be hijacked. Provided the attacker continued to send traffic they would continue to receive traffic as well”.
Present in Asterisk Open Source 11.x, 13.x and 14.x, and Certified Asterisk 11.6 and 13.3 versions, patches are available for all vulnerable systems.
The same versions have a shell access vulnerability in the
app_minivm “mini voicemail” module.
The way the module sends notifications using caller ID name and number, and these can come from an untrusted source exploitable via crafted values, permitting command injection.
Finally, in this vulnerability, the
res_pjisp module in Asterisk's Session Initiation Protocol (SIP) functions.
A crafted Uniform Resource Identifier (URI) in the From, To, or Contact fields can crash Asterisk Open Source 13.15.0 or 14.4.0; it's patched in version 13.17.1 or 14.6.1. ®