lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 04 Mar 2022 20:02:07 +0000
From: "Asterisk Security Team" <>
Subject: [FD] AST-2022-004: pjproject: integer underflow on STUN message

               Asterisk Project Security Advisory - AST-2022-004

         Product        Asterisk                                              
         Summary        pjproject: possible integer underflow on STUN         
    Nature of Advisory  Arbitrary code execution                              
      Susceptibility    Remote unauthenticated sessions                       
         Severity       Major                                                 
      Exploits Known    Yes                                                   
       Reported On      March 3, 2022                                         
       Reported By      Sauw Ming                                             
        Posted On       March 4, 2022                                         
     Last Updated On    March 3, 2022                                         
     Advisory Contact   kharwell AT sangoma DOT com                           
         CVE Name       CVE-2021-37706                                        

      Description     The header length on incoming STUN messages that        
                      contain an ERROR-CODE attribute is not properly         
                      checked. This can result in an integer underflow.       
                      Note, this requires ICE or WebRTC support to be in use  
                      with a malicious remote party.                          
    Modules Affected  bundled pjproject                                       

    Resolution  If you use ���with-pjproject-bundled��� then upgrade to, or       
                install one of, the versions of Asterisk listed below.        
                Otherwise install the appropriate version of pjproject that   
                contains the patch.                                           

                               Affected Versions
                Product              Release Series  
         Asterisk Open Source             16.x       All versions             
         Asterisk Open Source             18.x       All versions             
         Asterisk Open Source             19.x       All versions             
          Certified Asterisk              16.x       All versions             

                                  Corrected In
                 Product                              Release                 
           Asterisk Open Source                16.24.1,18.10.1,19.2.1         
            Certified Asterisk                      16.8-cert13               

                              Patch URL                             Revision   Asterisk  
                                                                    16     Asterisk  
                                                                    18     Asterisk  
                                                                    19   Certified 


    Asterisk Project Security Advisories are posted at                                                             
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                             and                      

                                Revision History
          Date                  Editor                 Revisions Made         
    March 3, 2022      Kevin Harwell             Initial revision             

               Asterisk Project Security Advisory - AST-2022-004
               Copyright �� 2022 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists