Tags › Owasp
rtpengine: RTP Inject and RTP Bleed vulnerabilities despite proper configuration
Published on Jul 31, 2025 in CVE-2025-53399, rtpengine, owasp, security advisory
- CVSS v4.0
- Exploitability: High
- Complexity: Low
- Vulnerable system: Medium
- Subsequent system: Medium
- Exploitation: High
- Security requirements: High
- Vector: link
- Other references: CVE-2025-53399
- Fixed versions: >= mr13.4.1.1
- Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2025-01-rtpengine-improper-behavior-bleed-inject/
- Reproduction tools: https://github.com/EnableSecurity/advisories/tree/master/ES2025-01-rtpengine-improper-behavior-bleed-inject
- Tested vulnerable versions: mr13.3.1.4 and lower
- Timeline:
- First report: 2025-04-24
- Triaged: 2025-04-30
- Fix provided for testing: 2025-05-05
- Various back and forth and more fixes: 2025-05 / 2025-06
- Vendor applied all fixes satisfactorily to master branch: 2025-06-05
- Enable Security verified and confirmed fix: 2025-06-26
- Vendor release with fix (mr13.4.1.1): 2025-07-03
- Enable Security advisory: 2025-07-31
Description
Media servers often support source address learning to dynamically adapt to network conditions and client behavior. This is especially useful in scenarios involving NAT where the source IP and port of incoming RTP packets may differ from what was initially signaled via SDP over SIP. However, this mechanism can be exploited for two types of attacks if malicious packets are accepted as legitimate:
…
FreeSWITCH: SIP digest leak for configured gateways
Published on Oct 25, 2021 in CVE-2021-41158, freeswitch, owasp, security advisory
- Fixed versions: v1.10.7
- Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2021-05-freeswitch-vulnerable-to-SIP-digest-leak/
- Vendor Security Advisory: https://github.com/signalwire/freeswitch/security/advisories/GHSA-3v3f-99mv-qvj4
- Other references: CVE-2021-41158
- Tested vulnerable versions: <= v1.10.6
- Timeline:
- Report date: 2021-04-22
- Triaged: 2021-04-23
- Fix provided for testing: 2021-08-13
- Second fix provided for testing: 2021-09-14
- Vendor release with fix: 2021-10-24
- Enable Security advisory: 2021-10-25
Description
An attacker can perform a SIP digest leak attack against FreeSWITCH and receive the challenge response of a gateway configured on the FreeSWITCH server. This is done by challenging FreeSWITCH’s SIP requests with the realm set to that of the gateway, thus forcing FreeSWITCH to respond with the challenge response which is based on the password of that targeted gateway.
…Asterisk: RTP Bleed vulnerability
Published on Sep 1, 2017 in CVE-2017-14099, asterisk, owasp, security advisory
- Authors:
- Klaus-Peter Junghanns kapejod@gmail.com
- Sandro Gauci sandro@enablesecurity.com
- Vulnerable version: Asterisk 11.4.0 to 14.6.1 (fix incomplete)
- References: AST-2017-005, AST-2017-008, CVE-2017-14099
- Advisory URL: https://www.enablesecurity.com/advisories/ES2017-04-asterisk-rtp-bleed/
- Timeline:
- First report date: 2011-09-11
- Fix applied: 2011-09-21
- Issue apparently reintroduced: 2013-03-07
- New report date: 2017-05-17
- Vendor patch provided for testing: 2017-05-23
- Vendor advisory: 2017-08-31
- Enable Security advisory: 2017-09-01
- Vendor updated advisory: 2017-09-19
Description
When Asterisk is configured with the nat=yes and strictrtp=yes (on by default) options, it is vulnerable to an attack which we call RTP Bleed. Further information about the attack can be found at https://rtpbleed.com.