Vigil@nce - Asterisk: denial of service via SRTP
February 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When the res_srtp module is loaded, an attacker can negotiate an
encrypted video stream, in order to stop Asterisk.
Severity: 2/4
Creation date: 20/01/2012
IMPACTED PRODUCTS
– Asterisk Open Source
DESCRIPTION OF THE VULNERABILITY
The SRTP (Secure Real-time Transport Protocol) protocol adds
authentication and encryption features to RTP. The Asterisk
res_srtp module implements SRTP.
The RFC 4568 defines security attributes of SDP (Session
Description Protocol). The "crypto:" attribute indicates
algorithms and keys. The process_crypto() function of the
channels/chan_sip.c file decodes this attribute.
However, if there is no RTP session for the requested media type
(video for example), the usage of the "crypto:" attribute
dereferences a NULL pointer in process_crypto().
When the res_srtp module is loaded, an attacker can therefore
negotiate an encrypted video stream, in order to stop Asterisk.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Asterisk-denial-of-service-via-SRTP-11310