Cybersecurity specialists report the discovery of two critical vulnerabilities in Asterisk, a popular open source Voice over Internet Protocol (VoIP) telephony solution that provides call center functions. According to the report, successful exploitation of these flaws would allow threat actors to deploy denial of service (DoS) attacks on vulnerable deployments.
Below are brief descriptions of the reported flaws, in addition to their respective identification keys and scores assigned according to the Common Vulnerability Scoring System (CVSS).
CVE-2021-31878: Improper management of internal resources within the application in the PJSIP channel controller in res_pjsip_session.c would allow remote users to send re-INVITE messages without SDP after Asterisk has sent a BYE request, resulting in a DoS condition.
This is a medium severity flaw and received a CVSS score of 3.8/10 on the affected systems.
CVE-2021-32558: This flaw exists due to incorrect validation of user-provided input in the IAX2 channel driver chan_iax2.c. Remote threat actors can send a packet that contains an unsupported media format, resulting in a DoS condition.
This is a medium severity flaw that received a CVSS score of 6.5/10.
Both flaws reside in the following versions of Asterisk: 13.23.0 rc1, 13.24.0 rc1, 13.25.0 rc1, 13.26.0 rc1, 13.27.0 rc1, 13.28.0 rc1, 13.29.0 rc1, 13.30.0 rc1, 13.31.0 rc1, 13.32.0 rc1, 13.33.0 rc1, 13.34.0 rc1, 13.35.0 rc1, 13.36.0 rc1, 13.37.0 rc1, 13.38.0, 13.38.0 rc1, 13.38.1, 13.38.2, 16.2.0 rc1, 16.3.0 rc1, 16.4.0 rc1, 16.5.0 rc1, 16.6.0 rc1, 16.7.0 rc1, 16.8.0 rc1, 16.9.0 rc1, 16.10.0 rc1, 16.11.0 rc1, 16.12.0 rc1, 16.13.0 rc1, 16.14.0 rc1, 16.15.0 rc1, 16.16.0 rc1, 16.17.0 rc1, 16.18.0 rc1, 16.19.0, 16.19.0 rc1, 17.0.0, 17.0.0 rc1, 17.0.1, 17.1.0 rc1, 17.2.0 rc1, 17.3.0 rc1, 17.4.0 rc1, 17.5.0 rc1, 17.6.0 rc1, 17.7.0 rc1, 17.8.0 rc1, 17.9.0, 17.9.0 rc1, 17.9.1, 17.9.2, 17.9.3, 18.0.0 rc1, 18.1.0 rc1, 18.2.0 rc1, 18.3.0, 18.3.0 rc1, 18.4.0, 18.4.0 rc1, 18.5.0 AND 18.5.0 rc1.
While the flaws can be exploited by unauthenticated remote threat actors, so far there have been no exploit attempts in real scenarios or any malware variant associated with the attack.
The flaws have already been addressed, so users of affected deployments are encouraged to update as soon as possible. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.