Asterisk Opus Codec DoS (AST-2016-008)
High Nessus Plugin ID 95926
SynopsisA telephony application running on the remote host is affected by a denial of service vulnerability.
DescriptionAccording to its SIP banner, the version of Asterisk running on the remote host is 13.12.x prior to 13.13.1 or 14.x prior to 14.2.1. It is, therefore, affected by a denial of service vulnerability in the Opus codec when handling SDP offer or answer requests due to improper parsing of format parameters when they are separated by space characters. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to cause the parser to recursively call itself until it crashes.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
SolutionUpgrade to Asterisk version 13.13.1 / 14.2.1 or later.