Tags › CVE-2017-14099

Asterisk: RTP Bleed vulnerability

Published on Sep 1, 2017 in CVE-2017-14099, asterisk, owasp, security advisory

Authors:
- Klaus-Peter Junghanns kapejod@gmail.com
- Sandro Gauci sandro@enablesecurity.com
Vulnerable version: Asterisk 11.4.0 to 14.6.1 (fix incomplete)
References: AST-2017-005, AST-2017-008, CVE-2017-14099
Advisory URL: https://www.enablesecurity.com/advisories/ES2017-04-asterisk-rtp-bleed/
Timeline:
- First report date: 2011-09-11
- Fix applied: 2011-09-21
- Issue apparently reintroduced: 2013-03-07
- New report date: 2017-05-17
- Vendor patch provided for testing: 2017-05-23
- Vendor advisory: 2017-08-31
- Enable Security advisory: 2017-09-01
- Vendor updated advisory: 2017-09-19

Description

When Asterisk is configured with the nat=yes and strictrtp=yes (on by default) options, it is vulnerable to an attack which we call RTP Bleed. Further information about the attack can be found at https://rtpbleed.com.

…

Tags › CVE-2017-14099

Asterisk: RTP Bleed vulnerability

Description

Subscribe