Rapid7 Vulnerability & Exploit Database

FreeBSD: VID-7D53D8DA-D07A-11E9-8F1A-001999F8D30B (CVE-2019-15639): asterisk -- Remote Crash Vulnerability in audio transcoding

Back to Search

FreeBSD: VID-7D53D8DA-D07A-11E9-8F1A-001999F8D30B (CVE-2019-15639): asterisk -- Remote Crash Vulnerability in audio transcoding

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Published
08/07/2019
Created
09/09/2019
Added
09/06/2019
Modified
09/20/2019

Description

Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.

From VID-7D53D8DA-D07A-11E9-8F1A-001999F8D30B:

The Asterisk project reports:

When audio frames are given to the audio transcoding

support in Asterisk the number of samples are examined

and as part of this a message is output to indicate that

no samples are present. A change was done to suppress

this message for a particular scenario in which the message

was not relevant. This change assumed that information

about the origin of a frame will always exist when in

reality it may not.

This issue presented itself when an RTP packet containing

no audio (and thus no samples) was received. In a particular

transcoding scenario this audio frame would get turned

into a frame with no origin information. If this new frame

was then given to the audio transcoding support a crash

would occur as no samples and no origin information would

be present. The transcoding scenario requires the genericplc

option to be set to enabled (the default) and a transcoding

path from the source format into signed linear and then

from signed linear into another format.

Note that there may be other scenarios that have not

been found which can cause an audio frame with no origin

to be given to the audio transcoding support and thus

cause a crash.

Solution(s)

  • freebsd-upgrade-package-asterisk13
  • freebsd-upgrade-package-asterisk16

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;