CVE-2014-8416

Vulnerability

A use-after-free vulnerability exists in the res_pjsip_refer module of Asterisk Open Source 12.x before 12.7.1 and 13.x before 13.0.1. When handling an INVITE with Replaces message, the module incorrectly assumes it is operating on a newly created channel. If the INVITE with Replaces is sent in-dialog after a session has been established, the assumption is wrong, causing the module to hang up a channel owned by another thread. The freed channel is then used by the other thread, triggering a crash [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted in-dialog INVITE with a Replaces header to an affected Asterisk server. No authentication is required, and the attack is performed remotely over the network. The sequence involves establishing a valid SIP session, then sending the malicious INVITE referencing the existing dialog to trigger the race condition and subsequent use-after-free [1].

Impact

Successful exploitation results in a denial of service (crash) of the Asterisk service, as the freed channel memory is accessed by another thread. This can disrupt all telephony services relying on the affected server. The advisory rates the severity as Critical [1].

Mitigation

The vulnerability is fixed in Asterisk versions 12.7.1 and 13.0.1 [1]. If REFER support is not required, administrators can unload the res_pjsip_refer module as a workaround. No known exploits are in the wild, and the CVE is not listed on the CISA KEV [1].