NVD

CVE-2017-14099 Detail

Modified

This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided.

Description

In res/res_rtp_asterisk.c in Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized data disclosure (media takeover in the RTP stack) is possible with careful timing by an attacker. The "strictrtp" option in rtp.conf enables a feature of the RTP stack that learns the source address of media for a session and drops any packets that do not originate from the expected address. This option is enabled by default in Asterisk 11 and above. The "nat" and "rtp_symmetric" options (for chan_sip and chan_pjsip, respectively) enable symmetric RTP support in the RTP stack. This uses the source address of incoming media as the target address of any sent media. This option is not enabled by default, but is commonly enabled to handle devices behind NAT. A change was made to the strict RTP support in the RTP stack to better tolerate late media when a reinvite occurs. When combined with the symmetric RTP support, this introduced an avenue where media could be hijacked. Instead of only learning a new address when expected, the new code allowed a new source address to be learned at all times. If a flood of RTP traffic was received, the strict RTP support would allow the new address to provide media, and (with symmetric RTP enabled) outgoing traffic would be sent to this new address, allowing the media to be hijacked. Provided the attacker continued to send traffic, they would continue to receive traffic as well.

Severity

CVSS 3.x Severity and Metrics:

NIST: NVD

Base Score: 7.5 HIGH

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

NVD Analysts use publicly available information to associate vector strings and CVSS scores. We also display any CVSS information provided within the CVE List from the CNA.

Note: NVD Analysts have published a CVSS score for this CVE based on publicly available information at the time of analysis. The CNA has not provided a score within the CVE List.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
http://downloads.asterisk.org/pub/security/AST-2017-005.html	Vendor Advisory
http://www.debian.org/security/2017/dsa-3964
http://www.securitytracker.com/id/1039251	Third Party Advisory VDB Entry
https://bugs.debian.org/873907	Issue Tracking Patch Third Party Advisory
https://issues.asterisk.org/jira/browse/ASTERISK-27013	Issue Tracking Patch Third Party Advisory
https://rtpbleed.com	Third Party Advisory
https://security.gentoo.org/glsa/201710-29

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-200	Exposure of Sensitive Information to an Unauthorized Actor	NIST

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

4 change records found show changes

Initial Analysis by NIST 9/20/2017 3:25:33 PM

Action	Type	Old Value	New Value
Added	CPE Configuration		Record truncated, showing 500 of 4045 characters. View Entire Change Record OR cpe:2.3:a:digium:asterisk:11.0.0::::::: cpe:2.3:a:digium:asterisk:11.0.0:beta1::::::* cpe:2.3:a:digium:asterisk:11.0.0:beta2::::::* cpe:2.3:a:digium:asterisk:11.0.0:rc1::::::* cpe:2.3:a:digium:asterisk:11.0.0:rc2::::::* cpe:2.3:a:digium:asterisk:11.0.1::::::: cpe:2.3:a:digium:asterisk:11.0.2::::::: cpe:2.3:a:digium:asterisk:11.1.0::::::: cpe:2.3:a:digium:asterisk:11.1.0:rc1::::::* *
Added	CPE Configuration		Record truncated, showing 500 of 3044 characters. View Entire Change Record OR cpe:2.3:a:digium:asterisk:13.0.0::::lts:::* cpe:2.3:a:digium:asterisk:13.0.0:beta1::::::* cpe:2.3:a:digium:asterisk:13.0.0:beta2::::::* cpe:2.3:a:digium:asterisk:13.0.0:beta3::::::* cpe:2.3:a:digium:asterisk:13.0.1::::::: cpe:2.3:a:digium:asterisk:13.0.2::::::: cpe:2.3:a:digium:asterisk:13.1.0::::::: cpe:2.3:a:digium:asterisk:13.1.0:rc1::::::* cpe:2.3:a:digium:asterisk:13.1.0:rc2::::::*
Added	CPE Configuration		Record truncated, showing 500 of 1665 characters. View Entire Change Record OR cpe:2.3:a:digium:asterisk:14.0::::::: cpe:2.3:a:digium:asterisk:14.0.0::::::: cpe:2.3:a:digium:asterisk:14.0.0:beta1::::::* cpe:2.3:a:digium:asterisk:14.0.0:beta2::::::* cpe:2.3:a:digium:asterisk:14.0.0:rc1::::::* cpe:2.3:a:digium:asterisk:14.0.0:rc2::::::* cpe:2.3:a:digium:asterisk:14.0.1::::::: cpe:2.3:a:digium:asterisk:14.0.2::::::: cpe:2.3:a:digium:asterisk:14.01::::::: *cpe:2
Added	CPE Configuration		Record truncated, showing 500 of 1392 characters. View Entire Change Record OR cpe:2.3:a:digium:certified_asterisk:11.6:cert1::::::* cpe:2.3:a:digium:certified_asterisk:11.6:cert1::::::* cpe:2.3:a:digium:certified_asterisk:11.6:cert10::::::* cpe:2.3:a:digium:certified_asterisk:11.6:cert11::::::* cpe:2.3:a:digium:certified_asterisk:11.6:cert12::::::* cpe:2.3:a:digium:certified_asterisk:11.6:cert13::::::* cpe:2.3:a:digium:certified_asterisk:11.6:cert14::::::* *cpe:2.3:a:digium:certified_aste
Added	CPE Configuration		Record truncated, showing 500 of 546 characters. View Entire Change Record OR cpe:2.3:a:digium:certified_asterisk:13.13:cert1::::::* cpe:2.3:a:digium:certified_asterisk:13.13:cert1_rc1::::::* cpe:2.3:a:digium:certified_asterisk:13.13:cert1_rc2::::::* cpe:2.3:a:digium:certified_asterisk:13.13:cert1_rc3::::::* cpe:2.3:a:digium:certified_asterisk:13.13:cert1_rc4::::::* cpe:2.3:a:digium:certified_asterisk:13.13:cert2::::::* cpe:2.3:a:digium:certified_asterisk:13.13:cert3::::::* *cpe:2.3:a:dig
Added	CVSS V2		(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Added	CVSS V3		AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Added	CWE		CWE-200
Changed	Reference Type	http://downloads.asterisk.org/pub/security/AST-2017-005.html No Types Assigned	http://downloads.asterisk.org/pub/security/AST-2017-005.html Vendor Advisory
Changed	Reference Type	http://www.securitytracker.com/id/1039251 No Types Assigned	http://www.securitytracker.com/id/1039251 Third Party Advisory, VDB Entry
Changed	Reference Type	https://bugs.debian.org/873907 No Types Assigned	https://bugs.debian.org/873907 Issue Tracking, Patch, Third Party Advisory
Changed	Reference Type	https://issues.asterisk.org/jira/browse/ASTERISK-27013 No Types Assigned	https://issues.asterisk.org/jira/browse/ASTERISK-27013 Issue Tracking, Patch, Third Party Advisory
Changed	Reference Type	https://rtpbleed.com No Types Assigned	https://rtpbleed.com Third Party Advisory

Quick Info

CVE Dictionary Entry:
CVE-2017-14099
NVD Published Date:
09/02/2017
NVD Last Modified:
11/03/2017
Source:
MITRE

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database