[asterisk-users] AST-2016-007: RTP Resource Exhaustion

Asterisk Security Team security at asterisk.org
Thu Sep 8 15:52:42 CDT 2016

               Asterisk Project Security Advisory - AST-2016-007

         Product        Asterisk                                              
         Summary        RTP Resource Exhaustion                               
    Nature of Advisory  Denial of Service                                     
      Susceptibility    Remote Authenticated Sessions                         
         Severity       Moderate                                              
      Exploits Known    No                                                    
       Reported On      August 5, 2016                                        
       Reported By      Etienne Lessard                                       
        Posted On       
     Last Updated On    September 8, 2016                                     
     Advisory Contact   Joshua Colp <jcolp AT digium DOT com>                 
         CVE Name       

    Description  The overlap dialing feature in chan_sip allows chan_sip to   
                 report to a device that the number that has been dialed is   
                 incomplete and more digits are required. If this             
                 functionality is used with a device that has performed       
                 username/password authentication RTP resources are leaked.   
                 This occurs because the code fails to release the old RTP    
                 resources before allocating new ones in this scenario. If    
                 all resources are used then RTP port exhaustion will occur   
                 and no RTP sessions are able to be set up.                   

    Resolution  If overlap dialing support is not needed the “allowoverlap”   
                option can be set to no. This will stop any usage of the      
                scenario which causes the resource exhaustion.                
                If overlap dialing support is needed a change has been made   
                so that existing RTP resources are destroyed in this          
                scenario before allocating new resources.                     

                               Affected Versions       
                         Product                       Release  
                  Asterisk Open Source                  11.x    All Versions  
                  Asterisk Open Source                  13.x    All Versions  
                   Certified Asterisk                   11.6    All Versions  
                   Certified Asterisk                   13.8    All Versions  

                                  Corrected In
          Product                              Release                        
    Asterisk Open Source                   11.23.1, 13.11.1                   
     Certified Asterisk                11.6-cert15, 13.8-cert3                

                 SVN URL                              Revision                

    Links  https://issues.asterisk.org/jira/browse/ASTERISK-26272             

    Asterisk Project Security Advisories are posted at                        
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    http://downloads.digium.com/pub/security/AST-2016-007.pdf and             

                                Revision History
         Date          Editor                   Revisions Made                
    August 23, 2016  Joshua Colp  Initial creation                            

               Asterisk Project Security Advisory - AST-2016-007
               Copyright © 2016 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

More information about the asterisk-users mailing list