Bug 1374733 (CVE-2016-7551)

Summary: CVE-2016-7551 asterisk: RTP Resource Exhaustion
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: g.devel, itamar, jsmith.fedora, lmadsen, rbryant
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: asterisk 11.23.1, asterisk 13.11.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-12 13:04:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1374734, 1374735    
Bug Blocks:    

Description Martin Prpič 2016-09-09 13:36:29 UTC
The following flaw was found in Asterisk:

The overlap dialing feature in chan_sip allows chan_sip to report to a device that the number that has been dialed is incomplete and more digits are required. If this functionality is used with a device that has performed username/password authentication RTP resources are leaked. This occurs because the code fails to release the old RTP resources before allocating new ones in this scenario. If all resources are used then RTP port exhaustion will occur and no RTP sessions are able to be set up.

Upstream bug:

https://issues.asterisk.org/jira/browse/ASTERISK-26272

External References:

http://downloads.asterisk.org/pub/security/AST-2016-007.html

Comment 1 Martin Prpič 2016-09-09 13:37:02 UTC
Created asterisk tracking bugs for this issue:

Affects: fedora-all [bug 1374734]
Affects: epel-6 [bug 1374735]

Comment 2 Andrej Nemec 2016-09-26 08:14:18 UTC
References:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838832

Comment 3 Adam Mariš 2016-10-26 07:16:23 UTC
UPDATE (20 October, 2016):

It has been brought to our attention by Walter Doekes that this same leak can be exploited without the use of the overlap dialing feature. Sending SIP requests in a specific sequence outside the norm could also cause the leak of RTP resources. By sending an in-dialog INVITE after receiving a 404 response (but before sending an ACK), an attacker could cause the same leak to occur.

Comment 4 Jared Smith 2016-10-26 16:49:03 UTC
I'm working with the Digium developers to get systemd support added to dahdi-tools, so that we can unretire dahdi-tools, which is a dependency of Asterisk.  That will allow me to update the Asterisk packages in Fedora/EPEL to the latest version which will close this vulnerability.

Comment 5 Product Security DevOps Team 2019-07-12 13:04:21 UTC
ARRAY(0x558ebd7dae40)