5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.021 Low
EPSS
Percentile
89.1%
In res/res_rtp_asterisk.c in Asterisk 11.x before 11.25.2, 13.x before
13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before
11.6-cert17 and 13.x before 13.13-cert5, unauthorized data disclosure
(media takeover in the RTP stack) is possible with careful timing by an
attacker. The “strictrtp” option in rtp.conf enables a feature of the RTP
stack that learns the source address of media for a session and drops any
packets that do not originate from the expected address. This option is
enabled by default in Asterisk 11 and above. The “nat” and “rtp_symmetric”
options (for chan_sip and chan_pjsip, respectively) enable symmetric RTP
support in the RTP stack. This uses the source address of incoming media as
the target address of any sent media. This option is not enabled by
default, but is commonly enabled to handle devices behind NAT. A change was
made to the strict RTP support in the RTP stack to better tolerate late
media when a reinvite occurs. When combined with the symmetric RTP support,
this introduced an avenue where media could be hijacked. Instead of only
learning a new address when expected, the new code allowed a new source
address to be learned at all times. If a flood of RTP traffic was received,
the strict RTP support would allow the new address to provide media, and
(with symmetric RTP enabled) outgoing traffic would be sent to this new
address, allowing the media to be hijacked. Provided the attacker continued
to send traffic, they would continue to receive traffic as well.
downloads.asterisk.org/pub/security/AST-2017-005.html
www.securitytracker.com/id/1039251
bugs.debian.org/873907
gerrit.asterisk.org/#/c/6356/
issues.asterisk.org/jira/browse/ASTERISK-27013
launchpad.net/bugs/cve/CVE-2017-14099
nvd.nist.gov/vuln/detail/CVE-2017-14099
rtpbleed.com
security-tracker.debian.org/tracker/CVE-2017-14099
www.cve.org/CVERecord?id=CVE-2017-14099
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.021 Low
EPSS
Percentile
89.1%