7.5

CVE-2017-14099

In res/res_rtp_asterisk.c in Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized data disclosure (media takeover in the RTP stack) is possible with careful timing by an attacker. The "strictrtp" option in rtp.conf enables a feature of the RTP stack that learns the source address of media for a session and drops any packets that do not originate from the expected address. This option is enabled by default in Asterisk 11 and above. The "nat" and "rtp_symmetric" options (for chan_sip and chan_pjsip, respectively) enable symmetric RTP support in the RTP stack. This uses the source address of incoming media as the target address of any sent media. This option is not enabled by default, but is commonly enabled to handle devices behind NAT. A change was made to the strict RTP support in the RTP stack to better tolerate late media when a reinvite occurs. When combined with the symmetric RTP support, this introduced an avenue where media could be hijacked. Instead of only learning a new address when expected, the new code allowed a new source address to be learned at all times. If a flood of RTP traffic was received, the strict RTP support would allow the new address to provide media, and (with symmetric RTP enabled) outgoing traffic would be sent to this new address, allowing the media to be hijacked. Provided the attacker continued to send traffic, they would continue to receive traffic as well.

Data is provided by the National Vulnerability Database (NVD)
DigiumAsterisk Version13.0.0 SwEditionlts
DigiumAsterisk Version13.0.0 Updatebeta1
DigiumAsterisk Version13.0.0 Updatebeta2
DigiumAsterisk Version13.0.0 Updatebeta3
DigiumAsterisk Version13.0.1
DigiumAsterisk Version13.0.2
DigiumAsterisk Version13.1.0
DigiumAsterisk Version13.1.0 Updaterc1
DigiumAsterisk Version13.1.0 Updaterc2
DigiumAsterisk Version13.1.1
DigiumAsterisk Version13.2.0
DigiumAsterisk Version13.2.0 Updaterc1
DigiumAsterisk Version13.2.1
DigiumAsterisk Version13.3.0 Updaterc1
DigiumAsterisk Version13.3.2
DigiumAsterisk Version13.4.0
DigiumAsterisk Version13.4.0 Updaterc1
DigiumAsterisk Version13.5.0
DigiumAsterisk Version13.5.0 Updaterc1
DigiumAsterisk Version13.6.0 Updaterc1
DigiumAsterisk Version13.7.0 Updaterc1
DigiumAsterisk Version13.7.0 Updaterc2
DigiumAsterisk Version13.7.1
DigiumAsterisk Version13.7.2
DigiumAsterisk Version13.8.0
DigiumAsterisk Version13.8.0 Updaterc1
DigiumAsterisk Version13.8.1
DigiumAsterisk Version13.8.2
DigiumAsterisk Version13.9.0
DigiumAsterisk Version13.9.1
DigiumAsterisk Version13.10.0
DigiumAsterisk Version13.10.0 Updaterc1
DigiumAsterisk Version13.11.0
DigiumAsterisk Version13.11.1
DigiumAsterisk Version13.11.2
DigiumAsterisk Version13.12
DigiumAsterisk Version13.12.0
DigiumAsterisk Version13.12.1
DigiumAsterisk Version13.12.2
DigiumAsterisk Version13.13
DigiumAsterisk Version13.13.0
DigiumAsterisk Version13.13.1
DigiumAsterisk Version13.14.0
DigiumAsterisk Version13.14.0 Updaterc1
DigiumAsterisk Version13.14.0 Updaterc2
DigiumAsterisk Version13.14.1
DigiumAsterisk Version13.15.0
DigiumAsterisk Version13.15.0 Updaterc1
DigiumAsterisk Version13.15.0 Updaterc2
DigiumAsterisk Version13.15.0 Updaterc3
DigiumAsterisk Version13.15.1
DigiumAsterisk Version13.16.0
DigiumAsterisk Version13.16.0 Updaterc1
DigiumAsterisk Version13.16.0 Updaterc2
DigiumAsterisk Version13.17.0
DigiumAsterisk Version13.17.0 Updaterc1
DigiumAsterisk Version14.0
DigiumAsterisk Version14.0.0
DigiumAsterisk Version14.0.0 Updatebeta1
DigiumAsterisk Version14.0.0 Updatebeta2
DigiumAsterisk Version14.0.0 Updaterc1
DigiumAsterisk Version14.0.0 Updaterc2
DigiumAsterisk Version14.0.1
DigiumAsterisk Version14.0.2
DigiumAsterisk Version14.1
DigiumAsterisk Version14.01
DigiumAsterisk Version14.1.0
DigiumAsterisk Version14.1.1
DigiumAsterisk Version14.1.2
DigiumAsterisk Version14.02
DigiumAsterisk Version14.2
DigiumAsterisk Version14.2.0
DigiumAsterisk Version14.2.1
DigiumAsterisk Version14.3.0
DigiumAsterisk Version14.3.0 Updaterc1
DigiumAsterisk Version14.3.0 Updaterc2
DigiumAsterisk Version14.3.1
DigiumAsterisk Version14.4.0
DigiumAsterisk Version14.4.0 Updaterc1
DigiumAsterisk Version14.4.0 Updaterc2
DigiumAsterisk Version14.4.0 Updaterc3
DigiumAsterisk Version14.4.1
DigiumAsterisk Version14.5.0
DigiumAsterisk Version14.5.0 Updaterc1
DigiumAsterisk Version14.5.0 Updaterc2
DigiumAsterisk Version14.6.0
DigiumAsterisk Version14.6.0 Updaterc1
DigiumAsterisk Version11.0.0
DigiumAsterisk Version11.0.0 Updatebeta1
DigiumAsterisk Version11.0.0 Updatebeta2
DigiumAsterisk Version11.0.0 Updaterc1
DigiumAsterisk Version11.0.0 Updaterc2
DigiumAsterisk Version11.0.1
DigiumAsterisk Version11.0.2
DigiumAsterisk Version11.1.0
DigiumAsterisk Version11.1.0 Updaterc1
DigiumAsterisk Version11.1.0 Updaterc2
DigiumAsterisk Version11.1.0 Updaterc3
DigiumAsterisk Version11.1.1
DigiumAsterisk Version11.1.2
DigiumAsterisk Version11.2.0 Updaterc1
DigiumAsterisk Version11.2.1
DigiumAsterisk Version11.2.2
DigiumAsterisk Version11.4.0 Updaterc4
DigiumAsterisk Version11.6.0
DigiumAsterisk Version11.6.0 Updaterc1
DigiumAsterisk Version11.6.0 Updaterc2
DigiumAsterisk Version11.6.1
DigiumAsterisk Version11.7.0
DigiumAsterisk Version11.7.0 Updaterc1
DigiumAsterisk Version11.7.0 Updaterc2
DigiumAsterisk Version11.8.0 Update-
DigiumAsterisk Version11.8.0 Updaterc1
DigiumAsterisk Version11.8.0 Updaterc2
DigiumAsterisk Version11.8.0 Updaterc3
DigiumAsterisk Version11.8.1
DigiumAsterisk Version11.9.0
DigiumAsterisk Version11.9.0 Updaterc1
DigiumAsterisk Version11.9.0 Updaterc2
DigiumAsterisk Version11.9.0 Updaterc3
DigiumAsterisk Version11.10.0
DigiumAsterisk Version11.10.0 Updaterc1
DigiumAsterisk Version11.10.1
DigiumAsterisk Version11.10.1 Updaterc1
DigiumAsterisk Version11.10.2
DigiumAsterisk Version11.11.0
DigiumAsterisk Version11.11.0 Updaterc1
DigiumAsterisk Version11.12.0
DigiumAsterisk Version11.12.0 Updaterc1
DigiumAsterisk Version11.12.1
DigiumAsterisk Version11.13.0
DigiumAsterisk Version11.13.0 Updaterc1
DigiumAsterisk Version11.13.1
DigiumAsterisk Version11.14.0 SwEditionlts
DigiumAsterisk Version11.14.0 Updaterc1
DigiumAsterisk Version11.14.0 Updaterc2
DigiumAsterisk Version11.14.1
DigiumAsterisk Version11.14.2
DigiumAsterisk Version11.15.0 Updaterc1
DigiumAsterisk Version11.15.0 Updaterc2
DigiumAsterisk Version11.15.1
DigiumAsterisk Version11.16.0 Updaterc1
DigiumAsterisk Version11.17.0 Updaterc1
DigiumAsterisk Version11.17.1
DigiumAsterisk Version11.18.0
DigiumAsterisk Version11.18.0 Updaterc1
DigiumAsterisk Version11.19.0 Updaterc1
DigiumAsterisk Version11.20.0 Updaterc1
DigiumAsterisk Version11.21.0 Updaterc1
DigiumAsterisk Version11.21.0 Updaterc2
DigiumAsterisk Version11.21.1
DigiumAsterisk Version11.21.2
DigiumAsterisk Version11.22.0
DigiumAsterisk Version11.22.0 Updaterc1
DigiumAsterisk Version11.23.0
DigiumAsterisk Version11.23.0 Updaterc1
DigiumAsterisk Version11.23.1
DigiumAsterisk Version11.24.0
DigiumAsterisk Version11.24.1
DigiumAsterisk Version11.25.0
DigiumAsterisk Version11.25.1
DigiumCertified Asterisk Version11.6 Updatecert1
DigiumCertified Asterisk Version11.6 Updatecert1_rc1
DigiumCertified Asterisk Version11.6 Updatecert1_rc2
DigiumCertified Asterisk Version11.6 Updatecert10
DigiumCertified Asterisk Version11.6 Updatecert11
DigiumCertified Asterisk Version11.6 Updatecert12
DigiumCertified Asterisk Version11.6 Updatecert13
DigiumCertified Asterisk Version11.6 Updatecert14
DigiumCertified Asterisk Version11.6 Updatecert14_rc1
DigiumCertified Asterisk Version11.6 Updatecert14_rc2
DigiumCertified Asterisk Version11.6 Updatecert15
DigiumCertified Asterisk Version11.6 Updatecert16
DigiumCertified Asterisk Version11.6 Updatecert2
DigiumCertified Asterisk Version11.6 Updatecert3
DigiumCertified Asterisk Version11.6 Updatecert4
DigiumCertified Asterisk Version11.6 Updatecert5
DigiumCertified Asterisk Version11.6 Updatecert6
DigiumCertified Asterisk Version11.6 Updatecert7
DigiumCertified Asterisk Version11.6 Updatecert8
DigiumCertified Asterisk Version11.6 Updatecert9
DigiumCertified Asterisk Version13.13 Updatecert1
DigiumCertified Asterisk Version13.13 Updatecert1_rc1
DigiumCertified Asterisk Version13.13 Updatecert1_rc2
DigiumCertified Asterisk Version13.13 Updatecert1_rc3
DigiumCertified Asterisk Version13.13 Updatecert1_rc4
DigiumCertified Asterisk Version13.13 Updatecert2
DigiumCertified Asterisk Version13.13 Updatecert3
DigiumCertified Asterisk Version13.13 Updatecert4
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.37% 0.581
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:P/I:N/A:N
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

http://www.securitytracker.com/id/1039251
Third Party Advisory
VDB Entry
https://bugs.debian.org/873907
Patch
Third Party Advisory
Issue Tracking
https://issues.asterisk.org/jira/browse/ASTERISK-27013
Patch
Third Party Advisory
Issue Tracking
https://rtpbleed.com
Third Party Advisory