Asterisk Project Security Advisory - AST-2021-003 Product Asterisk Summary Remote attacker could prematurely tear down SRTP calls Nature of Advisory Denial of Service Susceptibility Remote unauthenticated sessions Severity Moderate Exploits Known No Reported On January 22, 2021 Reported By Alexander Traud Posted On Last Updated On February 11, 2021 Advisory Contact gjoseph AT sangoma DOT com CVE Name CVE-2021-26712 Description An unauthenticated remote attacker could replay SRTP packets which could cause an Asterisk instance configured without strict RTP validation to tear down calls prematurely. Modules Affected res_srtp.c res_rtp_asterisk.c Resolution Asterisk now implements SRTP replay protection via a “srtpreplayprotection” option in rtp.conf. The default is “yes” Affected Versions Product Release Series Asterisk Open Source 13.x 13.38.1 Asterisk Open Source 16.x 16.16.0 Asterisk Open Source 17.x 17.9.1 Asterisk Open Source 18.x 18.2.0 Certified Asterisk 16.x 16.8-cert5 Corrected In Product Release Asterisk Open Source 13.38.2, 16.16.1, 17.9.2, 18.2.1 Certified Asterisk 16.8-cert6 Patches Patch URL Revision https:/downloads.asterisk.org/pub/security/AST-2021-003-13.diff 13.38.2 https:/downloads.asterisk.org/pub/security/AST-2021-003-16.diff 16.16.1 https:/downloads.asterisk.org/pub/security/AST-2021-003-17.diff 17.9.2 https:/downloads.asterisk.org/pub/security/AST-2021-003-18.diff 18.2.1 https:/downloads.asterisk.org/pub/security/AST-2021-003-16.8.diff Certified Asterisk 16.8-cert6 Links https://issues.asterisk.org/jira/browse/ASTERISK-29260 https://downloads.asterisk.org/pub/security/AST-2021-003.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2021-003.pdf and https://downloads.digium.com/pub/security/AST-2021-003.html Revision History Date Editor Revisions Made February 4, 2021 George Joseph Initial February 5, 2021 George Joseph Added CVE ID Asterisk Project Security Advisory - AST-2021-003 Copyright © 2021 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.