CVE-2021-37706

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all users that use STUN. A malicious actor located within the victim’s network may forge and send a specially crafted UDP (STUN) message that could remotely execute arbitrary code on the victim’s machine. Users are advised to upgrade as soon as possible. There are no known workarounds.
Configurations

Configuration 1 (hide)

cpe:2.3:a:teluu:pjsip:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:asterisk:certified_asterisk:*:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert1:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert10:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert11:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert12:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert2:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert3:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert4:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert5:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert6:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert7:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert8:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert9:*:*:*:*:*:*
cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*
cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*
cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

History

30 Aug 2023, 01:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html -

02 Feb 2023, 18:08

Type Values Removed Values Added
References (MLIST) https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html - (MLIST) https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html - Mailing List, Third Party Advisory
References (DEBIAN) https://www.debian.org/security/2022/dsa-5285 - (DEBIAN) https://www.debian.org/security/2022/dsa-5285 - Third Party Advisory
CPE cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

18 Nov 2022, 16:15

Type Values Removed Values Added
References
  • (DEBIAN) https://www.debian.org/security/2022/dsa-5285 -

17 Nov 2022, 14:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html -

16 Nov 2022, 19:03

Type Values Removed Values Added
References (GENTOO) https://security.gentoo.org/glsa/202210-37 - (GENTOO) https://security.gentoo.org/glsa/202210-37 - Third Party Advisory
References (MISC) http://packetstormsecurity.com/files/166225/Asterisk-Project-Security-Advisory-AST-2022-004.html - Third Party Advisory (MISC) http://packetstormsecurity.com/files/166225/Asterisk-Project-Security-Advisory-AST-2022-004.html - Third Party Advisory, VDB Entry
References (MLIST) https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html - Third Party Advisory (MLIST) https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html - Mailing List, Third Party Advisory

31 Oct 2022, 22:15

Type Values Removed Values Added
References
  • (GENTOO) https://security.gentoo.org/glsa/202210-37 -

25 Apr 2022, 15:22

Type Values Removed Values Added
First Time Asterisk
Asterisk certified Asterisk
Debian debian Linux
Sangoma asterisk
Debian
Sangoma
References (MISC) http://packetstormsecurity.com/files/166225/Asterisk-Project-Security-Advisory-AST-2022-004.html - (MISC) http://packetstormsecurity.com/files/166225/Asterisk-Project-Security-Advisory-AST-2022-004.html - Third Party Advisory
References (MLIST) https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html - (MLIST) https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html - Third Party Advisory
References (FULLDISC) http://seclists.org/fulldisclosure/2022/Mar/0 - (FULLDISC) http://seclists.org/fulldisclosure/2022/Mar/0 - Mailing List, Patch, Third Party Advisory
CPE cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert4:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert12:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:*:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert5:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert8:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert11:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert2:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert6:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert9:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert3:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert1:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert10:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert7:*:*:*:*:*:*
cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*

28 Mar 2022, 17:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html -

10 Mar 2022, 17:42

Type Values Removed Values Added
References
  • (MISC) http://packetstormsecurity.com/files/166225/Asterisk-Project-Security-Advisory-AST-2022-004.html -

04 Mar 2022, 22:15

Type Values Removed Values Added
References
  • (FULLDISC) http://seclists.org/fulldisclosure/2022/Mar/0 -

03 Jan 2022, 23:20

Type Values Removed Values Added
CPE cpe:2.3:a:teluu:pjsip:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : 7.3
v2 : 9.3
v3 : 9.8
First Time Teluu pjsip
Teluu
References (CONFIRM) https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984 - (CONFIRM) https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984 - Patch, Third Party Advisory
References (MISC) https://github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865 - (MISC) https://github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865 - Patch, Third Party Advisory

22 Dec 2021, 18:28

Type Values Removed Values Added
New CVE

Information

Published : 2021-12-22 18:15

Updated : 2023-12-10 14:09


NVD link : CVE-2021-37706

Mitre link : CVE-2021-37706

CVE.ORG link : CVE-2021-37706


JSON object : View

Products Affected

teluu

  • pjsip

debian

  • debian_linux

asterisk

  • certified_asterisk

sangoma

  • asterisk
CWE
CWE-191

Integer Underflow (Wrap or Wraparound)