Fuzzing PJSIP and chan_skinny, vulnerability information and advisories
In the recent past, Alfred Farrugia and myself started looking at fuzzing OpenSource VoIP projects such as Asterisk, FreeSWITCH and Kamailio and their dependencies. Our internal Enable Security project was given the unimaginative name of rtcfuzz and, by now, we are making use of a combination of public tools like American Fuzzy Lop and Radamsa, together with our internal tools …And is, of course, giving us some good results.
We reported three issues to Digium, two of which actually affect PJSIP and one of which affect chan_skinny. We’re happy to say that they have now been fixed, at least in the latest versions of Asterisk.
The vulnerabilities affecting PJSIP will affect Asterisk users who use chan_pjsip instead of the legacy chan_sip. They will also affect those who use PJSIP in other products of course. These security issues appear to be major vulnerabilities and at least one of them looks very exploitable (i.e. leading to remote code execution). In both cases, they will definitely lead to a crash, i.e. Denial of Service. For the technical details, check out the advisories that we just released:
- Heap overflow in CSEQ header parsing affects Asterisk chan_pjsip and PJSIP
- Out of bound memory access in PJSIP multipart parser crashes Asterisk
The security issue affecting chan_skinny is a memory exhaustion issue and can be abused to crash the Asterisk process. My personal view is that anyone using chan_skinny, with a vague understanding of security, should stop doing that and take a look at the code. Our advisory with the technical details on this was released too:
That’s it for now!