AST-2017-008: RTP/RTCP information leak

Asterisk Project Security Advisory - AST-2017-008

Product Asterisk
Summary RTP/RTCP information leak
Nature of Advisory Unauthorized data disclosure
Susceptibility Remote Unauthenticated Sessions
Severity Critical
Exploits Known Yes
Reported On September 1, 2017
Reported By Klaus-Peter Junghanns
Posted On September 19, 2017
Last Updated On September 19, 2017
Advisory Contact Richard Mudgett
CVE Name CVE-2017-14099

Description This is a follow up advisory to AST-2017-005.

Insufficient RTCP packet validation could allow reading
stale buffer contents and when combined with the “nat” and
“symmetric_rtp” options allow redirecting where Asterisk
sends the next RTCP report.

The RTP stream qualification to learn the source address of
media always accepted the first RTP packet as the new
source and allowed what AST-2017-005 was mitigating. The
intent was to qualify a series of packets before accepting
the new source address.

Resolution The RTP/RTCP stack will now validate RTCP packets before
processing them. Packets failing validation are discarded.
RTP stream qualification now requires the intended series of
packets from the same address without seeing packets from a
different source address to accept a new source address.

Affected Versions
Product Release
Asterisk Open Source 11.x All Releases
Asterisk Open Source 13.x All Releases
Asterisk Open Source 14.x All Releases
Certified Asterisk 11.6 All Releases
Certified Asterisk 13.13 All Releases

Corrected In
Product Release
Asterisk Open Source 11.25.3, 13.17.2, 14.6.2
Certified Asterisk 11.6-cert18, 13.13-cert6

SVN URL Revision Asterisk
11 Asterisk
13 Asterisk
14 Certified
11.6 Certified


Asterisk Project Security Advisories are posted at

This document may be superseded by later versions; if so, the latest
version will be posted at and

Commenti (0) Trackback (0)

Spiacenti, il modulo dei commenti è chiuso per ora.

Ancora nessun trackback.