Asterisk STIR/SHAKEN Remote Denial-of-Service and Possible Remote Code Execution Vulnerability

A remote denial-of-service (DoS) vulnerability and a potential remote code execution (RCE) condition have been identified in Asterisk versions up to and including 18.26.2, between 20.00.0 and 20.15.0, 20.7-cert6, 21.00.0, 22.00.0 through 22.5.0. The issue arises in the STIR/SHAKEN verification process when an attacker can manipulate the Identity header. This vulnerability is exploitable if STIR/SHAKEN is enabled and the verification option is set in the SIP profile of the targeted endpoint.

Impact

Exploitation of this vulnerability can lead to a remote denial-of-service condition, causing Asterisk to crash. Additionally, there is a possibility of remote code execution, although this is not confirmed.

Reproduction

To reproduce this vulnerability, STIR/SHAKEN must be enabled on an Asterisk endpoint with verification set in the associated SIP profile. An attacker can then send a request with a manipulated Identity header. This can be done using a partially obfuscated proof-of-concept application written in Go, which is available as an attachment in the Asterisk GitHub repository.

Remediation

Users can upgrade to Asterisk versions 18.26.3, 20.15.1, 21.10.1, 22.5.1, or 20.7-cert7 to address this vulnerability.