CVE-2017-16672 in Asterisk
Summary
by MITRE
An issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 before 14.7.1, and 15 before 15.1.1 and Certified Asterisk 13.13 before 13.13-cert7. A memory leak occurs when an Asterisk pjsip session object is created and that call gets rejected before the session itself is fully established. When this happens the session object never gets destroyed. Eventually Asterisk can run out of memory and crash.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 12/17/2019
This vulnerability resides in the pjsip channel driver of Asterisk Open Source and Certified Asterisk implementations across multiple versions including 13 before 13.18.1, 14 before 14.7.1, 15 before 15.1.1, and Certified Asterisk 13.13 before 13.13-cert7. The issue manifests as a memory leak condition that occurs during the call setup process when an incoming session is rejected before full establishment. The root cause stems from improper object lifecycle management within the pjsip subsystem where session objects are created but never properly destroyed upon call rejection, creating a persistent memory allocation that accumulates over time.
The technical flaw represents a classic memory management defect that aligns with CWE-401: "Improper Release of Memory Before Removing Last Reference" and falls under the broader category of resource leak vulnerabilities. When an Asterisk system processes incoming calls through the pjsip channel driver, it creates session objects to manage the communication state. However, when these calls are rejected during the early stages of establishment, the cleanup routine that should destroy these objects fails to execute properly. This results in a gradual accumulation of unreclaimed memory segments that persist throughout the system's operation until memory exhaustion occurs.
The operational impact of this vulnerability can be severe for telephony systems relying on Asterisk, particularly in high-traffic environments where numerous calls are processed continuously. As memory leaks accumulate over time, system performance degrades significantly, leading to increased latency, reduced call handling capacity, and eventually complete system crashes. This vulnerability can be exploited by attackers who continuously initiate calls and immediately reject them, creating a denial of service condition that can bring the entire telephony infrastructure to a halt. The memory exhaustion can also cause unpredictable behavior in other system processes that depend on available memory resources.
Mitigation strategies should focus on immediate patching to the affected versions, ensuring all systems are upgraded to the patched releases that address the memory leak in the pjsip session management. System administrators should implement monitoring solutions to track memory usage patterns and establish alerts for unusual memory consumption that could indicate this vulnerability's exploitation. Additionally, implementing call rate limiting and connection throttling mechanisms can help reduce the impact of potential abuse while patches are deployed. The vulnerability demonstrates the importance of proper resource management in telephony systems and highlights the need for comprehensive testing of session lifecycle management in VoIP implementations. Organizations should also consider implementing intrusion detection systems that can identify abnormal call patterns indicative of memory leak exploitation attempts, aligning with ATT&CK technique T1499.002 for resource exhaustion attacks.