Vulnerability Details : CVE-2021-37706
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all users that use STUN. A malicious actor located within the victim’s network may forge and send a specially crafted UDP (STUN) message that could remotely execute arbitrary code on the victim’s machine. Users are advised to upgrade as soon as possible. There are no known workarounds.
Vulnerability category: Execute code
Products affected by CVE-2021-37706
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:certified_asterisk:*:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert1:*:*:*:*:*:*
- cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert10:*:*:*:*:*:*
- cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert11:*:*:*:*:*:*
- cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert12:*:*:*:*:*:*
- cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert2:*:*:*:*:*:*
- cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert3:*:*:*:*:*:*
- cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert4:*:*:*:*:*:*
- cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert5:*:*:*:*:*:*
- cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert6:*:*:*:*:*:*
- cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert7:*:*:*:*:*:*
- cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert8:*:*:*:*:*:*
- cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert9:*:*:*:*:*:*
- cpe:2.3:a:asterisk:certified_asterisk:16.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*
- cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*
- cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*
- cpe:2.3:a:teluu:pjsip:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-37706
2.16%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 90 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-37706
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
7.3
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
3.9
|
3.4
|
GitHub, Inc. |
CWE ids for CVE-2021-37706
-
The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.Assigned by:
- nvd@nist.gov (Secondary)
- security-advisories@github.com (Primary)
References for CVE-2021-37706
-
https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984
Potential integer underflow upon receiving STUN message · Advisory · pjsip/pjproject · GitHubPatch;Third Party Advisory
-
http://packetstormsecurity.com/files/166225/Asterisk-Project-Security-Advisory-AST-2022-004.html
Asterisk Project Security Advisory - AST-2022-004 ≈ Packet StormThird Party Advisory;VDB Entry
-
https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
[SECURITY] [DLA 3549-1] ring security update
-
https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
[SECURITY] [DLA 3194-1] asterisk security updateMailing List;Third Party Advisory
-
http://seclists.org/fulldisclosure/2022/Mar/0
Full Disclosure: AST-2022-004: pjproject: integer underflow on STUN messageMailing List;Patch;Third Party Advisory
-
https://github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865
Merge pull request from GHSA-2qpg-f6wf-w984 · pjsip/pjproject@15663e3 · GitHubPatch;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html
[SECURITY] [DLA 2962-1] pjproject security updateMailing List;Third Party Advisory
-
https://security.gentoo.org/glsa/202210-37
PJSIP: Multiple Vulnerabilities (GLSA 202210-37) — Gentoo securityThird Party Advisory
-
https://www.debian.org/security/2022/dsa-5285
Debian -- Security Information -- DSA-5285-1 asteriskThird Party Advisory
Jump to