PJSIP – Bug in PJSIP allows generating malformed packets and producing a Denial of Service

Advisory IDRSN-SIP-1565

Vulnerability Information


A bug in the PJSIP library allows sending a SIP packet to Asterisk with a CSeq header specially designed in Asterisk Open Source 11.X, 13.X, 14.X and Certified Asterisk 13.13 to cause a DoS by an attacker remotely

Release Date

2017-06-02 00:00:00

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. It combines signaling protocol (SIP) with rich multimedia framework and NAT traversal functionality into high level API that is portable and suitable for almost any type of systems ranging from desktops, embedded systems, to mobile handsets.

Technical Information


The problem lies in the PJSIP transaction key generation algorithm that does not allocate a sufficiently large buffer. When the buffer is exceeded, the memory allocation table is damaged, leading to an eventual block (DoS). For this failure, the CVE-2017-9372 has been assigned.



The UCTM solution from RedShift Networks provides the industry’s first complete security solution developed to secure VOIP networks, endpoints and applications. His research team is constantly looking for new attack patterns, advanced penetration testing methods, vulnerability identification and deployment of new signatures for constantly subscribed clients. For more information visit

External Resources


Asterisk Project Security Advisory

Common Vulnerabilities and Exposures (CVE)