Asterisk RTP Port Leak and Resource Exhaustion Vulnerability

A resource exhaustion vulnerability has been identified in Asterisk, an open-source private branch exchange and telephony toolkit. This issue, present in versions through 18.26.3 and 18.9-cert16, arises from a failure to properly terminate sessions, leading to leaked RTP UDP ports and internal resources. The problem can cause noticeable resource exhaustion, as the leaked UDP RTP ports remain open and unused, while internal module usage counters reflect the increased resource consumption. The vulnerability can be exploited remotely without user interaction, and it affects all transport types: UDP, TCP, and TLS.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, where available resources are drained, causing the application to become unresponsive or unavailable.

Reproduction

The vulnerability can be reproduced by sending SIP INVITE requests with a specific branch identifier that is not properly formatted. This can be done using a SIPP-based script that targets an Asterisk server with the vulnerable versions. The incorrect branch ID causes the session to be accepted and maintained, even if the underlying TCP or TLS connection is dropped, leading to a leak of RTP ports and internal resources.

Remediation

Users can upgrade to Asterisk versions 18.26.4 or 18.9-cert17 to address this vulnerability.