Condorlab

Asterisk – Remote crash in res_pjsip_session


Advisory IDRSN-SIP-1657



Vulnerability Information

This is a crash within PJSIP whereby under heavy load the INVITE transaction on an INVITE session may not be set when sending a response, resulting in a crash.


Technical Information

Upon receiving a new SIP Invite, Asterisk did not return the created dialog locked or referenced. This caused a “gap” between the creation of the dialog object, and its next use by the thread that created it. Depending upon some off nominal circumstances, and timing it was possible for another thread to free said dialog in this “gap”. Asterisk could then crash when the dialog object, or any of its dependent objects were de-referenced, or accessed next by the initial creation thread.

Note, however that this crash can only occur when using a connection oriented protocol (e.g. TCP, TLS) for the SIP transport. If you are using UDP then your system should not be affected.

As well, the remote client must be authenticated, or Asterisk must be configured for anonymous calling in order for this problem to manifest.


Solutions

The UCTM solution from RedShift Networks provides the industry’s first complete security solution developed to secure VOIP networks, endpoints and applications. His research team Condor-Labs.com is constantly looking for new attack patterns, advanced penetration testing methods, vulnerability identification and deployment of new signatures for constantly subscribed clients. For more information visit www.redshiftnetworks.com


External Resources

https://issues.asterisk.org/jira/browse/ASTERISK-29057

http://downloads.asterisk.org/pub/security/AST-2020-001.html

Common Vulnerabilities and Exposures (CVE)

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28327