CVE-2017-14099
published 2017-09-02CVE-2017-14099: In res/res_rtp_asterisk.c in Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x…
PriorityP344high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EPSS
4.33%
90.0th percentile
In res/res_rtp_asterisk.c in Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized data disclosure (media takeover in the RTP stack) is possible with careful timing by an attacker. The "strictrtp" option in rtp.conf enables a feature of the RTP stack that learns the source address of media for a session and drops any packets that do not originate from the expected address. This option is enabled by default in Asterisk 11 and above. The "nat" and "rtp_symmetric" options (for chan_sip and chan_pjsip, respectively) enable symmetric RTP support in the RTP stack. This uses the source address of incoming media as the target address of any sent media. This option is not enabled by default, but is commonly enabled to handle devices behind NAT. A change was made to the strict RTP support in the RTP stack to better tolerate late media when a reinvite occurs. When combined with the symmetric RTP support, this introduced an avenue where media could be hijacked. Instead of only learning a new address when expected, the new code allowed a new source address to be learned at all times. If a flood of RTP traffic was received, the strict RTP support would allow the new address to provide media, and (with symmetric RTP enabled) outgoing traffic would be sent to this new address, allowing the media to be hijacked. Provided the attacker continued to send traffic, they would continue to receive traffic as well.
Affected
105 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | asterisk | < asterisk 1:13.17.1~dfsg-1 (bullseye) | asterisk 1:13.17.1~dfsg-1 (bullseye) |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4q58-999f-6rpw: In res/res_rtp_asterisk
ghsa_unreviewed·2022-05-17
CVE-2017-14099 [HIGH] CWE-200 GHSA-4q58-999f-6rpw: In res/res_rtp_asterisk
In res/res_rtp_asterisk.c in Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized data disclosure (media takeover in the RTP stack) is possible with careful timing by an attacker. The "strictrtp" option in rtp.conf enables a feature of the RTP stack that learns the source address of media for a session and drops any packets that do not originate from the expected address. This option is enabled by default in Asterisk 11 and above. The "nat" and "rtp_symmetric" options (for chan_sip and chan_pjsip, respectively) enable symmetric RTP support in the RTP stack. This uses the source address of incoming media as the target address of any sent media. This option is not enabled by default,
OSV
CVE-2017-14099: In res/res_rtp_asterisk
osv·2017-09-02·CVSS 7.5
CVE-2017-14099 [HIGH] CVE-2017-14099: In res/res_rtp_asterisk
In res/res_rtp_asterisk.c in Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized data disclosure (media takeover in the RTP stack) is possible with careful timing by an attacker. The "strictrtp" option in rtp.conf enables a feature of the RTP stack that learns the source address of media for a session and drops any packets that do not originate from the expected address. This option is enabled by default in Asterisk 11 and above. The "nat" and "rtp_symmetric" options (for chan_sip and chan_pjsip, respectively) enable symmetric RTP support in the RTP stack. This uses the source address of incoming media as the target address of any sent media. This option is not enabled by default,
Debian
CVE-2017-14099: asterisk - In res/res_rtp_asterisk.c in Asterisk 11.x before 11.25.2, 13.x before 13.17.1, ...
vendor_debian·2017·CVSS 7.5
CVE-2017-14099 [HIGH] CVE-2017-14099: asterisk - In res/res_rtp_asterisk.c in Asterisk 11.x before 11.25.2, 13.x before 13.17.1, ...
In res/res_rtp_asterisk.c in Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized data disclosure (media takeover in the RTP stack) is possible with careful timing by an attacker. The "strictrtp" option in rtp.conf enables a feature of the RTP stack that learns the source address of media for a session and drops any packets that do not originate from the expected address. This option is enabled by default in Asterisk 11 and above. The "nat" and "rtp_symmetric" options (for chan_sip and chan_pjsip, respectively) enable symmetric RTP support in the RTP stack. This uses the source address of incoming media as the target address of any sent media. This option is not enabled by default,
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-14098 CVE-2017-14099 CVE-2017-14100 asterisk: Multiple vulnerabilities [fedora-all]
bugzilla·2017-09-04·CVSS 7.5
CVE-2017-14098 [HIGH] CVE-2017-14098 CVE-2017-14099 CVE-2017-14100 asterisk: Multiple vulnerabilities [fedora-all]
CVE-2017-14098 CVE-2017-14099 CVE-2017-14100 asterisk: Multiple vulnerabilities [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple sup
Bugzilla
CVE-2017-14098 CVE-2017-14099 CVE-2017-14100 asterisk: Multiple vulnerabilities [epel-6]
bugzilla·2017-09-04·CVSS 7.5
CVE-2017-14098 [HIGH] CVE-2017-14098 CVE-2017-14099 CVE-2017-14100 asterisk: Multiple vulnerabilities [epel-6]
CVE-2017-14098 CVE-2017-14099 CVE-2017-14100 asterisk: Multiple vulnerabilities [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to fo
Bugzilla
CVE-2017-14098 CVE-2017-14099 CVE-2017-14100 asterisk: Multiple vulnerabilities
bugzilla·2017-09-04·CVSS 7.5
CVE-2017-14098 [HIGH] CVE-2017-14098 CVE-2017-14099 CVE-2017-14100 asterisk: Multiple vulnerabilities
CVE-2017-14098 CVE-2017-14099 CVE-2017-14100 asterisk: Multiple vulnerabilities
CVE-2017-14098 - AST-2017-007:
In the pjsip channel driver (res_pjsip) in Asterisk 13.x before 13.17.1 and 14.x before 14.6.1, a carefully crafted tel URI in a From, To, or Contact header could cause Asterisk to crash.
http://downloads.asterisk.org/pub/security/AST-2017-007.html
https://issues.asterisk.org/jira/browse/ASTERISK-27152
CVE-2017-14099 - AST-2017-005:
In res/res_rtp_asterisk.c in Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized data disclosure (media takeover in the RTP stack) is possible with careful timing by an attacker. The "strictrtp" option in rtp.conf enables a feature of the
http://downloads.asterisk.org/pub/security/AST-2017-005.htmlhttp://www.debian.org/security/2017/dsa-3964http://www.securitytracker.com/id/1039251https://bugs.debian.org/873907https://issues.asterisk.org/jira/browse/ASTERISK-27013https://rtpbleed.comhttps://security.gentoo.org/glsa/201710-29http://downloads.asterisk.org/pub/security/AST-2017-005.htmlhttp://www.debian.org/security/2017/dsa-3964http://www.securitytracker.com/id/1039251https://bugs.debian.org/873907https://issues.asterisk.org/jira/browse/ASTERISK-27013https://rtpbleed.comhttps://security.gentoo.org/glsa/201710-29
2017-09-02
Published