[Home]

Summary:ASTERISK-24666: Security Vulnerability: RTP not closed after sip call using unsupported codec
Reporter:Y Ateya (yateya)Labels:Security
Date Opened:2015-01-06 10:37:01.000-0600Date Closed:2015-01-28 11:34:20.000-0600
Priority:CriticalRegression?
Status:Closed/CompleteComponents:Channels/chan_pjsip
Versions:12.8.0 13.1.0 Frequency of
Occurrence
Constant
Related
Issues:
Environment:ubuntu 12.04; pjproject build from asterisk git repo.Attachments:( 0) pjsip_rtp.log.bz2
( 1) pjsip.conf
( 2) rtp_cleanup_3.diff
( 3) rtp_ports.txt.bz2
Description:This is similar to ASTERISK-23721; but on asterisk 13.1.0.
Attached pjsip.conf
To reproduce the bug:
  - Run watch -n1 "netstat -lp | grep aster"
  - Make a call using sip client (which don't support g729)
  - You will get messasge "No joint capabilities for 'audio' media stream between our configuration((g729)) and incoming SDP((ulaw|gsm|alaw))"
  - Check netstat result; you will find 2 RTP ports opened and not closed.
  - Allow ulaw; make same call from same sip client
 - ports will be opened for the call duration and then removed after hangup.

Comments:By: Matt Jordan (mjordan) 2015-01-06 11:33:10.353-0600

I've locked this down, as this could be a security issue.

In the future, if you find a resource exhaustion issue in Asterisk, *please* e-mail security@asterisk.org.

In the meantime, please provide a full debug log (with 'pjsip set logger on') illustrating the problem, along with your pjsip.conf.

By: Y Ateya (yateya) 2015-01-06 13:26:22.693-0600

pjsip.conf : pjsip configuration of the remote asterisk server.
pjsip_rtp.log.bz2: log of pjsip logger
rtp_ports.txt.bz2: The list of open ports after the test with zero active calls.

By: Y Ateya (yateya) 2015-01-06 16:59:34.033-0600

Added required attachments.

By: Matt Jordan (mjordan) 2015-01-07 10:53:15.176-0600

Thanks for the logs and configuration. As soon as we have a patch for the issue, we'll attach it here.

By: Mark Michelson (mmichelson) 2015-01-07 17:25:05.876-0600

As an update, I have reproduced this problem, and I have a couple of SIPp scenarios I've written to test this out.
I also have identified the problem, and have a couple of ideas for solutions. I'll update this issue when I've got a patch and have code up for review.

By: Mark Michelson (mmichelson) 2015-01-08 12:12:13.818-0600

I have created a patch that solves the issue locally for me. I have also put this patch up for review at https://reviewboard.asterisk.org/r/4323 .