cbcvebase.
CVE-2021-37706
published 2021-12-22

CVE-2021-37706: PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN…

PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.62%
90.5th percentile
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all users that use STUN. A malicious actor located within the victim’s network may forge and send a specially crafted UDP (STUN) message that could remotely execute arbitrary code on the victim’s machine. Users are advised to upgrade as soon as possible. There are no known workarounds.

Affected

14 ranges
VendorProductVersion rangeFixed in
asteriskcertified_asterisk< 16.8.016.8.0
asteriskcertified_asterisk
debianasterisk< asterisk 1:16.28.0~dfsg-0+deb11u1 (bullseye)asterisk 1:16.28.0~dfsg-0+deb11u1 (bullseye)
debiandebian_linux
debiandebian_linux
debianring< asterisk 1:16.28.0~dfsg-0+deb11u1 (bullseye)asterisk 1:16.28.0~dfsg-0+deb11u1 (bullseye)
pjsippjproject<= 2.11.1
pjsippjproject>= 0 < 2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm12.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm1
pjsippjproject>= 0 < 2.7.2~dfsg-1ubuntu0.1~esm12.7.2~dfsg-1ubuntu0.1~esm1
sangomaasterisk>= 0 < 1:16.28.0~dfsg-0+deb11u11:16.28.0~dfsg-0+deb11u1
sangomaasterisk>= 16.0.0 < 16.24.116.24.1
sangomaasterisk>= 18.0.0 < 18.10.118.10.1
sangomaasterisk>= 19.0.0 < 19.2.119.2.1
teluupjsip<= 2.11.1

Detection & IOCsextracted from sources · hover to see the quote

  • Detect specially crafted UDP STUN messages containing an ERROR-CODE attribute that may trigger integer underflow in PJSIP; monitor for malformed STUN packets on UDP where the ERROR-CODE attribute header length is abnormally small or zero
  • ·Debian bullseye fix is available in package version 1:16.28.0~dfsg-0+deb11u1; Debian sid fix is available in 1:18.10.1~dfsg+~cs6.10.40431411-1

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian7.3HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.