Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (VoIP)  >   Asterisk Vendors:   Digium (Linux Support Services)
Asterisk File Descriptor Leak Lets Remote Authenticated Users Deny Service
SecurityTracker Alert ID:  1031661
SecurityTracker URL:
CVE Reference:   CVE-2015-1558   (Links to External Site)
Updated:  Feb 18 2015
Original Entry Date:  Jan 29 2015
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions 12.8.1, 13.1.1
Description:   A vulnerability was reported in Asterisk. A remote authenticated user can cause denial of service conditions.

A remote authenticated user can send an SDP offer that lists codecs not allowed by Asterisk to consume RTP ports on the target system.

The PJSIP channel driver is affected.

The vendor was notified on January 6, 2015.

Y Ateya reported this vulnerability.

Impact:   A remote authenticated user can consume RTP ports on the target system.
Solution:   The vendor has issued a fix (12.8.1, 13.1.1).

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Resource error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  [FD] AST-2015-001: File descriptor leak when incompatible codecs are offered

               Asterisk Project Security Advisory - AST-2015-001

         Product        Asterisk                                              
         Summary        File descriptor leak when incompatible codecs are     
    Nature of Advisory  Resource exhaustion                                   
      Susceptibility    Remote Authenticated Sessions                         
         Severity       Major                                                 
      Exploits Known    No                                                    
       Reported On      6 January, 2015                                       
       Reported By      Y Ateya                                               
        Posted On       9 January, 2015                                       
     Last Updated On    January 28, 2015                                      
     Advisory Contact   Mark Michelson <mmichelson AT digium DOT com>         
         CVE Name       Pending                                               

    Description  Asterisk may be configured to only allow specific audio or   
                 video codecs to be used when communicating with a            
                 particular endpoint. When an endpoint sends an SDP offer     
                 that only lists codecs not allowed by Asterisk, the offer    
                 is rejected. However, in this case, RTP ports that are       
                 allocated in the process are not reclaimed.                  
                 This issue only affects the PJSIP channel driver in          
                 Asterisk. Users of the chan_sip channel driver are not       
                 As the resources are allocated after authentication, this    
                 issue only affects communications with authenticated         

    Resolution  The reported leak has been patched.                           

                               Affected Versions       
                         Product                       Release  
                  Asterisk Open Source                  1.8.x   Unaffected    
                  Asterisk Open Source                  11.x    Unaffected    
                  Asterisk Open Source                  12.x    All versions  
                  Asterisk Open Source                  13.x    All versions  
                   Certified Asterisk                  1.8.28   Unaffected    
                   Certified Asterisk                   11.6    Unaffected    

                                  Corrected In                
                            Product                              Release      
                      Asterisk Open Source                    12.8.1, 13.1.1  

                                SVN URL                              Revision   Asterisk 
                                                                     12    Asterisk 


    Asterisk Project Security Advisories are posted at                                                             
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                             and                        

                                Revision History
         Date            Editor                  Revisions Made               
    9 January, 2015  Mark Michelson  Initial creation                         

               Asterisk Project Security Advisory - AST-2015-001
              Copyright (c) 2015 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC