CVE-2020-35652 in Asterisk
Summary
by MITRE • 01/29/2021
An issue was discovered in res_pjsip_diversion.c in Sangoma Asterisk before 13.38.0, 14.x through 16.x before 16.15.0, 17.x before 17.9.0, and 18.x before 18.1.0. A crash can occur when a SIP message is received with a History-Info header that contains a tel-uri, or when a SIP 181 response is received that contains a tel-uri in the Diversion header.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/21/2021
This vulnerability exists in the Asterisk telephony platform's SIP parsing functionality, specifically within the res_pjsip_diversion module that handles diversion headers in SIP communications. The issue manifests when the system processes incoming SIP messages containing malformed History-Info headers with tel-uri references or when processing SIP 181 responses with tel-uri elements in Diversion headers. The vulnerability represents a classic buffer overflow condition that occurs during the parsing of these specific URI formats, where the application fails to properly validate or sanitize input data before processing. This flaw affects multiple major versions of Asterisk including the 13.x, 14.x, 15.x, 16.x, 17.x, and 18.x release lines, indicating a widespread impact across the platform's long-term support versions. The vulnerability is categorized under CWE-121 as a stack-based buffer overflow, which occurs when the application writes data beyond the bounds of allocated memory buffers during SIP header processing. The attack surface is particularly concerning as SIP infrastructure serves as a critical communication layer for voice and video services, making this vulnerability exploitable by malicious actors who can send crafted SIP messages to cause system instability.
The technical execution of this vulnerability relies on the improper handling of Uniform Resource Identifier (URI) formats within the SIP protocol stack. When a malicious actor sends a SIP message containing a History-Info header with a tel-uri or a SIP 181 response with a Diversion header containing tel-uri, the Asterisk system attempts to parse and process these URIs without adequate bounds checking. The parsing routine fails to validate the length or structure of the tel-uri elements, leading to memory corruption that results in an application crash. This crash occurs because the system allocates insufficient buffer space to accommodate the parsed URI data, causing a segmentation fault or access violation when attempting to write beyond the allocated memory boundaries. The vulnerability is particularly dangerous in production environments as it can be triggered by legitimate network traffic, making it difficult to distinguish between normal operations and malicious attacks. The impact extends beyond simple service disruption as the crash can potentially lead to denial of service for legitimate users and may provide an entry point for more sophisticated attacks if the memory corruption can be exploited for code execution.
The operational impact of this vulnerability extends significantly beyond simple system crashes, as it affects critical telephony infrastructure that many organizations depend upon for business communications. Organizations running affected versions of Asterisk are vulnerable to denial of service attacks that can disrupt voice services, video conferencing, and other communication channels that rely on SIP protocols. The vulnerability is particularly concerning for service providers and enterprises that operate large-scale telephony systems, as a single malicious SIP message can cause cascading failures across multiple communication channels. In addition to service disruption, the vulnerability may expose sensitive system information through crash dumps or memory corruption artifacts that could be analyzed by attackers to develop more sophisticated exploitation techniques. The timing of the vulnerability's exploitation is also significant as it can occur at any point during SIP message processing, making it difficult to implement effective network-level protections or monitoring solutions. The vulnerability affects not only the immediate system stability but also the reliability of communication services that depend on Asterisk's SIP implementation, potentially leading to business disruption and loss of customer confidence.
Mitigation strategies for this vulnerability should focus on immediate version upgrades to patched releases of Asterisk, specifically versions 13.38.0, 16.15.0, 17.9.0, and 18.1.0, which contain the necessary fixes for the buffer overflow conditions. Organizations should also implement network-level controls such as SIP message filtering to block malformed History-Info and Diversion headers that contain tel-uri references, particularly in environments where the source of SIP traffic cannot be fully trusted. The implementation of proper input validation and sanitization measures within the SIP processing stack should be enforced to prevent similar vulnerabilities from occurring in other components of the system. Additionally, organizations should establish monitoring and alerting mechanisms to detect unusual patterns in SIP traffic that may indicate exploitation attempts, utilizing tools that can identify malformed URI structures before they reach the vulnerable parsing functions. From a defensive perspective, implementing rate limiting and connection controls on SIP endpoints can help reduce the impact of potential exploitation attempts while also providing valuable time for security teams to respond to incidents. The vulnerability also highlights the importance of regular security assessments and penetration testing of telephony infrastructure, particularly in environments where SIP traffic flows through untrusted networks, as outlined in the ATT&CK framework's methodology for identifying and mitigating network-based vulnerabilities.