Incorrect access controls in res_srtp.c in Sangoma Asterisk 13.38.1, 16.16.0, 17.9.1, and 18.2.0 and Certified Asterisk 16.8-cert5 allow a remote unauthenticated attacker to prematurely terminate secure calls by replaying SRTP packets.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Incorrect access controls in res_srtp.c in Sangoma Asterisk 13.38.1, 16.16.0, 17.9.1, and 18.2.0 and     Certified Asterisk 16.8-cert5 allow a remote unauthenticated attacker to prematurely terminate secure     calls by replaying SRTP packets. (CVE-2021-26712)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote host is affected by the vulnerability described in GLSA-202412-03 (Asterisk: Multiple Vulnerabilities)

    Multiple vulnerabilities have been discovered in Asterisk. Please review the CVE identifiers referenced     below for details.

Tenable has extracted the preceding description block directly from the Gentoo Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Asterisk project reports :

An unauthenticated remote attacker could replay SRTP packets which could cause an Asterisk instance configured without strict RTP validation to tear down calls prematurely.

ID	Name	Product	Family	Severity
252407	Linux Distros Unpatched Vulnerability : CVE-2021-26712	Nessus	Misc.	high
212188	GLSA-202412-03 : Asterisk: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	critical
146601	FreeBSD : asterisk -- Remote attacker could prematurely tear down SRTP calls (5d8ef725-7228-11eb-8386-001999f8d30b)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2021-26712

high

Tenable Plugins

high

critical

high