Asterisk chan_pjsip Incompatible Codecs DoS (AST-2015-001)

This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.


Synopsis :

A telephony application running on the remote host is affected by a
denial of service vulnerability.

Description :

According to its SIP banner, the version of Asterisk running on the
remote host has a flaw in which it fails to reclaim allocated RTP
ports whenever a connection is made to an authenticated endpoint whose
SPD offers only codecs that are not allowed by Asterisk. An attacker
could exploit this vulnerability to cause an exhaustion of available
ports, leading to a denial of service. Note that this only affects
Asterisk using the PJSIP channel driver.

Note that Nessus has not tested for this issue but has instead relied
only on the application's self-reported version number.

See also :

http://downloads.asterisk.org/pub/security/AST-2015-001.html
https://issues.asterisk.org/jira/browse/ASTERISK-24666

Solution :

Upgrade to Asterisk 12.8.1 / 13.1.1 or apply the appropriate patch
listed in the Asterisk advisory.

Risk factor :

Medium / CVSS Base Score : 4.0
(CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P)
CVSS Temporal Score : 3.5
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: Misc.

Nessus Plugin ID: 81205 ()

Bugtraq ID: 72380

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now