Condorlab

PJSIP – Bug in the PJSIP library allows generating a Denial of Service in Asterisk.


Advisory IDRSN-SIP-1564


Vulnerability Information

 

A vulnerability that affects PJSIP allows an attacker through a customized package to trigger a DoS affecting the versions of Asterisk Open Source 13.X, 14.X and Certified Asterisk 13.13.


Release Date

2017-06-02 00:00:00


PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. It combines signaling protocol (SIP) with rich multimedia framework and NAT traversal functionality into high level API that is portable and suitable for almost any type of systems ranging from desktops, embedded systems, to mobile handsets.


Technical Information

 

PJSIP contains a logical error that allows the memory to be read outside the permitted limits. A specially designed package can trigger these invalid readings and potentially induce a DoS. CVE-2017-9359 was assigned for this failure.


Solutions

 

The UCTM solution from RedShift Networks provides the industry’s first complete security solution developed to secure VOIP networks, endpoints and applications. His research team Condor-Labs.com is constantly looking for new attack patterns, advanced penetration testing methods, vulnerability identification and deployment of new signatures for constantly subscribed clients. For more information visit www.redshiftnetworks.com


External Resources

 

Asterisk Project Security Advisory

http://downloads.asterisk.org/pub/security/AST-2017-003.txt

Common Vulnerabilities and Exposures (CVE)

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9359