CVE-2014-8415

Vulnerability

A race condition exists in the chan_pjsip channel driver in Asterisk Open Source 12.x before 12.7.1 and 13.x before 13.0.1. The driver uses a queue for actions (such as answering a session or sending ringing) that are processed asynchronously relative to SIP session state. If a CANCEL request terminates the session before a queued action executes, the code incorrectly assumes the session is still active and attempts to send a SIP response through the PJSIP library, which asserts on the unexpected disconnected state [1].

Exploitation

An unauthenticated remote attacker can trigger the condition by establishing a SIP session and sending a CANCEL request timed to execute while an action to answer the session or send ringing is still queued. No authentication or special network position is required beyond the ability to send SIP messages to the Asterisk service [1].

Impact

Successful exploitation causes the PJSIP library to hit an assertion failure, which crashes the Asterisk process and results in a denial of service (DoS). All active calls and resources managed by the affected instance are disrupted until the service is restarted [1].

Mitigation

The vulnerability is fixed in Asterisk Open Source versions 12.7.1 and 13.0.1, released on November 20, 2014. Patches are available from the Asterisk security advisory page. Users of affected 12.x or 13.x series should upgrade to the corrected releases. No workarounds are documented for versions prior to the fix [1].