PJSIP is a free and open source multimedia communication library written in C. A denial-of-service vulnerability affects applications on a 32-bit systems that use PJSIP versions 2.12 and prior to play/read invalid WAV files. The vulnerability occurs when reading WAV file data chunks with length greater than 31-bit integers. The vulnerability does not affect 64-bit apps and should not affect apps that only plays trusted WAV files. A patch is available on the `master` branch of the `pjsip/project` GitHub repository. As a workaround, apps can reject a WAV file received from an unknown source or validate the file first.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - PJSIP is a free and open source multimedia communication library written in C. A denial-of-service     vulnerability affects applications on a 32-bit systems that use PJSIP versions 2.12 and prior to play/read     invalid WAV files. The vulnerability occurs when reading WAV file data chunks with length greater than     31-bit integers. The vulnerability does not affect 64-bit apps and should not affect apps that only plays     trusted WAV files. A patch is available on the `master` branch of the `pjsip/project` GitHub repository.
    As a workaround, apps can reject a WAV file received from an unknown source or validate the file first.
    (CVE-2022-24792)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3194 advisory.

    -------------------------------------------------------------------------     Debian LTS Advisory DLA-3194-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                      Markus Koschany     November 17, 2022                             https://wiki.debian.org/LTS
    -------------------------------------------------------------------------

    Package        : asterisk     Version        : 1:16.28.0~dfsg-0+deb10u1     CVE ID         : CVE-2021-37706 CVE-2021-43299 CVE-2021-43300 CVE-2021-43301                      CVE-2021-43302 CVE-2021-43303 CVE-2021-43804 CVE-2021-43845                      CVE-2021-46837 CVE-2022-21722 CVE-2022-21723 CVE-2022-23608                      CVE-2022-24763 CVE-2022-24764 CVE-2022-24786 CVE-2022-24792                      CVE-2022-24793 CVE-2022-26498 CVE-2022-26499 CVE-2022-26651     Debian Bug     : 1014998 1018073 1014976

    Multiple security vulnerabilities have been found in Asterisk, an Open Source     Private Branch Exchange. Buffer overflows and other programming errors could be     exploited for information disclosure or the execution of arbitrary code.

    Special care should be taken when upgrading to this new upstream release.
    Some configuration files and options have changed in order to remedy     certain security vulnerabilities. Most notably the pjsip TLS listener only     accepts TLSv1.3 connections in the default configuration now. This can be     reverted by adding method=tlsv1_2 to the transport in pjsip.conf. See also     https://issues.asterisk.org/jira/browse/ASTERISK-29017.

    For Debian 10 buster, these problems have been fixed in version     1:16.28.0~dfsg-0+deb10u1.

    We recommend that you upgrade your asterisk packages.

    For the detailed security status of asterisk please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/asterisk

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS     Attachment:
    signature.asc     Description: This is a digitally signed message part

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5285 advisory.

  - PJSIP is a free and open source multimedia communication library written in C language implementing     standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming     STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a     subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all     users that use STUN. A malicious actor located within the victim's network may forge and send a specially     crafted UDP (STUN) message that could remotely execute arbitrary code on the victim's machine. Users are     advised to upgrade as soon as possible. There are no known workarounds. (CVE-2021-37706)

  - Stack overflow in PJSUA API when calling pjsua_player_create. An attacker-controlled 'filename' argument     may cause a buffer overflow since it is copied to a fixed-size stack buffer without any size validation.
    (CVE-2021-43299)

  - Stack overflow in PJSUA API when calling pjsua_recorder_create. An attacker-controlled 'filename' argument     may cause a buffer overflow since it is copied to a fixed-size stack buffer without any size validation.
    (CVE-2021-43300)

  - Stack overflow in PJSUA API when calling pjsua_playlist_create. An attacker-controlled 'file_names'     argument may cause a buffer overflow since it is copied to a fixed-size stack buffer without any size     validation. (CVE-2021-43301)

  - Read out-of-bounds in PJSUA API when calling pjsua_recorder_create. An attacker-controlled 'filename'     argument may cause an out-of-bounds read when the filename is shorter than 4 characters. (CVE-2021-43302)

  - Buffer overflow in PJSUA API when calling pjsua_call_dump. An attacker-controlled 'buffer' argument may     cause a buffer overflow, since supplying an output buffer smaller than 128 characters may overflow the     output buffer, regardless of the 'maxlen' argument supplied (CVE-2021-43303)

  - PJSIP is a free and open source multimedia communication library written in C language implementing     standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming     RTCP BYE message contains a reason's length, this declared length is not checked against the actual     received packet size, potentially resulting in an out-of-bound read access. This issue affects all users     that use PJMEDIA and RTCP. A malicious actor can send a RTCP BYE message with an invalid reason length.
    Users are advised to upgrade as soon as possible. There are no known workarounds. (CVE-2021-43804)

  - PJSIP is a free and open source multimedia communication library. In version 2.11.1 and prior, if incoming     RTCP XR message contain block, the data field is not checked against the received packet size, potentially     resulting in an out-of-bound read access. This affects all users that use PJMEDIA and RTCP XR. A malicious     actor can send a RTCP XR message with an invalid packet size. (CVE-2021-43845)

  - res_pjsip_t38 in Sangoma Asterisk 16.x before 16.16.2, 17.x before 17.9.3, and 18.x before 18.2.2, and     Certified Asterisk before 16.8-cert7, allows an attacker to trigger a crash by sending an m=image line and     zero port in a response to a T.38 re-invite initiated by Asterisk. This is a re-occurrence of the     CVE-2019-15297 symptoms but not for exactly the same reason. The crash occurs because there is an append     operation relative to the active topology, but this should instead be a replace operation.
    (CVE-2021-46837)

  - PJSIP is a free and open source multimedia communication library written in C language implementing     standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In version 2.11.1 and prior, there     are various cases where it is possible that certain incoming RTP/RTCP packets can potentially cause out-     of-bound read access. This issue affects all users that use PJMEDIA and accept incoming RTP/RTCP. A patch     is available as a commit in the `master` branch. There are no known workarounds. (CVE-2022-21722)

  - PJSIP is a free and open source multimedia communication library written in C language implementing     standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions 2.11.1 and prior, parsing     an incoming SIP message that contains a malformed multipart can potentially cause out-of-bound read     access. This issue affects all PJSIP users that accept SIP multipart. The patch is available as commit in     the `master` branch. There are no known workarounds. (CVE-2022-21723)

  - PJSIP is a free and open source multimedia communication library written in C language implementing     standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions up to and including     2.11.1 when in a dialog set (or forking) scenario, a hash key shared by multiple UAC dialogs can     potentially be prematurely freed when one of the dialogs is destroyed . The issue may cause a dialog set     to be registered in the hash table multiple times (with different hash keys) leading to undefined behavior     such as dialog list collision which eventually leading to endless loop. A patch is available in commit     db3235953baa56d2fb0e276ca510fefca751643f which will be included in the next release. There are no known     workarounds for this issue. (CVE-2022-23608)

  - PJSIP is a free and open source multimedia communication library written in the C language. Versions 2.12     and prior contain a denial-of-service vulnerability that affects PJSIP users that consume PJSIP's XML     parsing in their apps. Users are advised to update. There are no known workarounds. (CVE-2022-24763)

  - PJSIP is a free and open source multimedia communication library written in C. Versions 2.12 and prior     contain a stack buffer overflow vulnerability that affects PJSUA2 users or users that call the API     `pjmedia_sdp_print(), pjmedia_sdp_media_print()`. Applications that do not use PJSUA2 and do not directly     call `pjmedia_sdp_print()` or `pjmedia_sdp_media_print()` should not be affected. A patch is available on     the `master` branch of the `pjsip/pjproject` GitHub repository. There are currently no known workarounds.
    (CVE-2022-24764)

  - PJSIP is a free and open source multimedia communication library written in C. PJSIP versions 2.12 and     prior do not parse incoming RTCP feedback RPSI (Reference Picture Selection Indication) packet, but any     app that directly uses pjmedia_rtcp_fb_parse_rpsi() will be affected. A patch is available in the `master`     branch of the `pjsip/pjproject` GitHub repository. There are currently no known workarounds.
    (CVE-2022-24786)

  - PJSIP is a free and open source multimedia communication library written in C. A denial-of-service     vulnerability affects applications on a 32-bit systems that use PJSIP versions 2.12 and prior to play/read     invalid WAV files. The vulnerability occurs when reading WAV file data chunks with length greater than     31-bit integers. The vulnerability does not affect 64-bit apps and should not affect apps that only plays     trusted WAV files. A patch is available on the `master` branch of the `pjsip/project` GitHub repository.
    As a workaround, apps can reject a WAV file received from an unknown source or validate the file first.
    (CVE-2022-24792)

  - PJSIP is a free and open source multimedia communication library written in C. A buffer overflow     vulnerability in versions 2.12 and prior affects applications that uses PJSIP DNS resolution. It doesn't     affect PJSIP users who utilize an external resolver. A patch is available in the `master` branch of the     `pjsip/pjproject` GitHub repository. A workaround is to disable DNS resolution in PJSIP config (by setting     `nameserver_count` to zero) or use an external resolver instead. (CVE-2022-24793)

  - An issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it is possible to download files     that are not certificates. These files could be much larger than what one would expect to download,     leading to Resource Exhaustion. This is fixed in 16.25.2, 18.11.2, and 19.3.2. (CVE-2022-26498)

  - An SSRF issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it's possible to send     arbitrary requests (such as GET) to interfaces such as localhost by using the Identity header. This is     fixed in 16.25.2, 18.11.2, and 19.3.2. (CVE-2022-26499)

  - An issue was discovered in Asterisk through 19.x and Certified Asterisk through 16.8-cert13. The func_odbc     module provides possibly inadequate escaping functionality for backslash characters in SQL queries,     resulting in user-provided data creating a broken SQL query or possibly a SQL injection. This is fixed in     16.25.2, 18.11.2, and 19.3.2, and 16.8-cert14. (CVE-2022-26651)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202210-37 (PJSIP: Multiple Vulnerabilities)

  - PJSIP is a free and open source multimedia communication library written in C language implementing     standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there     are a couple of issues found in the SSL socket. First, a race condition between callback and destroy, due     to the accepted socket having no group lock. Second, the SSL socket parent/listener may get destroyed     during handshake. Both issues were reported to happen intermittently in heavy load TLS connections. They     cause a crash, resulting in a denial of service. These are fixed in version 2.11.1. (CVE-2021-32686)

  - PJSIP is a free and open source multimedia communication library written in C language implementing     standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming     STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a     subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all     users that use STUN. A malicious actor located within the victim's network may forge and send a specially     crafted UDP (STUN) message that could remotely execute arbitrary code on the victim's machine. Users are     advised to upgrade as soon as possible. There are no known workarounds. (CVE-2021-37706)

  - PJSIP is a free and open source multimedia communication library written in the C language implementing     standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In various parts of PJSIP, when     error/failure occurs, it is found that the function returns without releasing the currently held locks.
    This could result in a system deadlock, which cause a denial of service for the users. No release has yet     been made which contains the linked fix commit. All versions up to an including 2.11.1 are affected. Users     may need to manually apply the patch. (CVE-2021-41141)

  - PJSIP is a free and open source multimedia communication library written in C language implementing     standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming     RTCP BYE message contains a reason's length, this declared length is not checked against the actual     received packet size, potentially resulting in an out-of-bound read access. This issue affects all users     that use PJMEDIA and RTCP. A malicious actor can send a RTCP BYE message with an invalid reason length.
    Users are advised to upgrade as soon as possible. There are no known workarounds. (CVE-2021-43804)

  - PJSIP is a free and open source multimedia communication library. In version 2.11.1 and prior, if incoming     RTCP XR message contain block, the data field is not checked against the received packet size, potentially     resulting in an out-of-bound read access. This affects all users that use PJMEDIA and RTCP XR. A malicious     actor can send a RTCP XR message with an invalid packet size. (CVE-2021-43845)

  - PJSIP is a free and open source multimedia communication library written in C language implementing     standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In version 2.11.1 and prior, there     are various cases where it is possible that certain incoming RTP/RTCP packets can potentially cause out-     of-bound read access. This issue affects all users that use PJMEDIA and accept incoming RTP/RTCP. A patch     is available as a commit in the `master` branch. There are no known workarounds. (CVE-2022-21722)

  - PJSIP is a free and open source multimedia communication library written in C language implementing     standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions 2.11.1 and prior, parsing     an incoming SIP message that contains a malformed multipart can potentially cause out-of-bound read     access. This issue affects all PJSIP users that accept SIP multipart. The patch is available as commit in     the `master` branch. There are no known workarounds. (CVE-2022-21723)

  - PJSIP is a free and open source multimedia communication library written in C language implementing     standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions up to and including     2.11.1 when in a dialog set (or forking) scenario, a hash key shared by multiple UAC dialogs can     potentially be prematurely freed when one of the dialogs is destroyed . The issue may cause a dialog set     to be registered in the hash table multiple times (with different hash keys) leading to undefined behavior     such as dialog list collision which eventually leading to endless loop. A patch is available in commit     db3235953baa56d2fb0e276ca510fefca751643f which will be included in the next release. There are no known     workarounds for this issue. (CVE-2022-23608)

  - PJSIP is a free and open source multimedia communication library written in C language. In versions prior     to and including 2.12 PJSIP there is a stack-buffer overflow vulnerability which only impacts PJSIP users     who accept hashed digest credentials (credentials with data_type `PJSIP_CRED_DATA_DIGEST`). This issue has     been patched in the master branch of the PJSIP repository and will be included with the next release.
    Users unable to upgrade need to check that the hashed digest data length must be equal to     `PJSIP_MD5STRLEN` before passing to PJSIP. (CVE-2022-24754)

  - PJSIP is a free and open source multimedia communication library written in the C language. Versions 2.12     and prior contain a denial-of-service vulnerability that affects PJSIP users that consume PJSIP's XML     parsing in their apps. Users are advised to update. There are no known workarounds. (CVE-2022-24763)

  - PJSIP is a free and open source multimedia communication library written in C. Versions 2.12 and prior     contain a stack buffer overflow vulnerability that affects PJSUA2 users or users that call the API     `pjmedia_sdp_print(), pjmedia_sdp_media_print()`. Applications that do not use PJSUA2 and do not directly     call `pjmedia_sdp_print()` or `pjmedia_sdp_media_print()` should not be affected. A patch is available on     the `master` branch of the `pjsip/pjproject` GitHub repository. There are currently no known workarounds.
    (CVE-2022-24764)

  - PJSIP is a free and open source multimedia communication library written in C. PJSIP versions 2.12 and     prior do not parse incoming RTCP feedback RPSI (Reference Picture Selection Indication) packet, but any     app that directly uses pjmedia_rtcp_fb_parse_rpsi() will be affected. A patch is available in the `master`     branch of the `pjsip/pjproject` GitHub repository. There are currently no known workarounds.
    (CVE-2022-24786)

  - PJSIP is a free and open source multimedia communication library written in C. A denial-of-service     vulnerability affects applications on a 32-bit systems that use PJSIP versions 2.12 and prior to play/read     invalid WAV files. The vulnerability occurs when reading WAV file data chunks with length greater than     31-bit integers. The vulnerability does not affect 64-bit apps and should not affect apps that only plays     trusted WAV files. A patch is available on the `master` branch of the `pjsip/project` GitHub repository.
    As a workaround, apps can reject a WAV file received from an unknown source or validate the file first.
    (CVE-2022-24792)

  - PJSIP is a free and open source multimedia communication library written in C. A buffer overflow     vulnerability in versions 2.12 and prior affects applications that uses PJSIP DNS resolution. It doesn't     affect PJSIP users who utilize an external resolver. A patch is available in the `master` branch of the     `pjsip/pjproject` GitHub repository. A workaround is to disable DNS resolution in PJSIP config (by setting     `nameserver_count` to zero) or use an external resolver instead. (CVE-2022-24793)

  - PJSIP is a free and open source multimedia communication library written in C language implementing     standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions prior to and including     2.12.1 a stack buffer overflow vulnerability affects PJSIP users that use STUN in their applications,     either by: setting a STUN server in their account/media config in PJSUA/PJSUA2 level, or directly using     `pjlib-util/stun_simple` API. A patch is available in commit 450baca which should be included in the next     release. There are no known workarounds for this issue. (CVE-2022-31031)

  - PJSIP is a free and open source multimedia communication library written in C. In versions of PJSIP prior     to 2.13 the PJSIP parser, PJMEDIA RTP decoder, and PJMEDIA SDP parser are affeced by a buffer overflow     vulnerability. Users connecting to untrusted clients are at risk. This issue has been patched and is     available as commit c4d3498 in the master branch and will be included in releases 2.13 and later. Users     are advised to upgrade. There are no known workarounds for this issue. (CVE-2022-39244)

  - PJSIP is a free and open source multimedia communication library written in C. When processing certain     packets, PJSIP may incorrectly switch from using SRTP media transport to using basic RTP upon SRTP     restart, causing the media to be sent insecurely. The vulnerability impacts all PJSIP users that use SRTP.
    The patch is available as commit d2acb9a in the master branch of the project and will be included in     version 2.13. Users are advised to manually patch or to upgrade. There are no known workarounds for this     vulnerability. (CVE-2022-39269)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3036 advisory.

  - PJSIP is a free and open source multimedia communication library written in the C language. Versions 2.12     and prior contain a denial-of-service vulnerability that affects PJSIP users that consume PJSIP's XML     parsing in their apps. Users are advised to update. There are no known workarounds. (CVE-2022-24763)

  - PJSIP is a free and open source multimedia communication library written in C. A denial-of-service     vulnerability affects applications on a 32-bit systems that use PJSIP versions 2.12 and prior to play/read     invalid WAV files. The vulnerability occurs when reading WAV file data chunks with length greater than     31-bit integers. The vulnerability does not affect 64-bit apps and should not affect apps that only plays     trusted WAV files. A patch is available on the `master` branch of the `pjsip/project` GitHub repository.
    As a workaround, apps can reject a WAV file received from an unknown source or validate the file first.
    (CVE-2022-24792)

  - PJSIP is a free and open source multimedia communication library written in C. A buffer overflow     vulnerability in versions 2.12 and prior affects applications that uses PJSIP DNS resolution. It doesn't     affect PJSIP users who utilize an external resolver. A patch is available in the `master` branch of the     `pjsip/pjproject` GitHub repository. A workaround is to disable DNS resolution in PJSIP config (by setting     `nameserver_count` to zero) or use an external resolver instead. (CVE-2022-24793)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
224512	Linux Distros Unpatched Vulnerability : CVE-2022-24792	Nessus	Misc.	high
167926	Debian dla-3194 : asterisk - security update	Nessus	Debian Local Security Checks	critical
167915	Debian DSA-5285-1 : asterisk - security update	Nessus	Debian Local Security Checks	critical
166740	GLSA-202210-37 : PJSIP: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	critical
161794	Debian DLA-3036-1 : pjproject - LTS security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2022-24792

high

Tenable Plugins

high

critical

critical

critical

high