CVE-2018-7285 in Asterisk
Summary
by MITRE
A NULL pointer access issue was discovered in Asterisk through 15.2.1. The RTP support in Asterisk maintains its own registry of dynamic codecs and desired payload numbers. While an SDP negotiation may result in a codec using a different payload number, these desired ones are still stored internally. When an RTP packet was received, this registry would be consulted if the payload number was not found in the negotiated SDP. This registry was incorrectly consulted for all packets, even those which are dynamic. If the payload number resulted in a codec of a different type than the RTP stream (for example, the payload number resulted in a video codec but the stream carried audio), a crash could occur if no stream of that type had been negotiated. This was due to the code incorrectly assuming that a stream of that type would always exist.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/04/2021
The vulnerability CVE-2018-7285 represents a critical NULL pointer dereference issue within the Asterisk telephony platform affecting versions through 15.2.1. This flaw exists within the Real-time Transport Protocol (RTP) support mechanism that manages dynamic codec registrations and payload number mappings. The vulnerability stems from improper handling of RTP packet processing logic where the system maintains an internal registry of dynamic codecs and their associated payload numbers that are desired for use. During SDP negotiation processes, the system correctly recognizes that codec payload numbers may differ between negotiated parameters and actual packet transmission, yet it fails to properly validate the payload type consistency during packet reception.
The technical implementation flaw occurs when an RTP packet arrives and the system attempts to consult its internal codec registry to resolve payload numbers that do not match the negotiated SDP parameters. The vulnerability manifests because the code incorrectly processes all incoming RTP packets through this registry lookup mechanism regardless of whether the packet contains dynamic payload numbers. When a payload number maps to a codec type that differs from the actual RTP stream content - such as when a video codec payload number is received in an audio stream - the system crashes due to attempting to access a NULL pointer. This occurs because the code makes incorrect assumptions that streams of specific types will always exist within the negotiated session context, failing to account for scenarios where no stream of the required type has been previously established.
The operational impact of this vulnerability is significant as it allows remote attackers to cause denial of service conditions through carefully crafted RTP packets that trigger the NULL pointer access. This creates a persistent availability threat that can disrupt voice communication services in telephony systems relying on Asterisk, potentially affecting businesses, emergency services, and communication infrastructure. The vulnerability specifically aligns with CWE-476 which addresses NULL pointer dereference issues, and demonstrates characteristics consistent with ATT&CK technique T1499.3 for network denial of service attacks. The flaw represents a classic buffer over-read condition combined with improper input validation, where the system fails to properly validate payload number consistency before attempting to access internal registry structures. The crash occurs during normal packet processing operations, making it particularly dangerous as it can be triggered without requiring authentication or special privileges, and can be exploited through network traffic alone.
Mitigation strategies should focus on implementing proper payload type validation before registry lookups, ensuring that codec type consistency is verified before attempting to access internal structures. The recommended approach includes adding explicit checks to validate that the payload number corresponds to the actual RTP stream type before consulting the registry, and implementing proper error handling for cases where no matching stream type exists. Additionally, system administrators should apply the vendor-provided patches that address this specific NULL pointer dereference issue, and consider implementing network segmentation to limit exposure. The fix should involve modifying the RTP processing logic to properly handle dynamic payload number scenarios and ensure that registry lookups only occur when appropriate type validation has been completed, thereby preventing the conditions that lead to the NULL pointer access and subsequent system crash.