CVE-2021-26712
First published: Thu Feb 18 2021(Updated: )
Incorrect access controls in res_srtp.c in Sangoma Asterisk 13.38.1, 16.16.0, 17.9.1, and 18.2.0 and Certified Asterisk 16.8-cert5 allow a remote unauthenticated attacker to prematurely terminate secure calls by replaying SRTP packets.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Asterisk | >=13.0.0<=13.38.2 | |
| Asterisk | >=16.0.0<16.16.1 | |
| Asterisk | >=17.0.0<17.9.2 | |
| Asterisk | >=18.0<18.2.1 | |
| Asterisk Certified Asterisk | =16.8 | |
| Asterisk Certified Asterisk | =16.8-cert1-rc1 | |
| Asterisk Certified Asterisk | =16.8-cert1-rc2 | |
| Asterisk Certified Asterisk | =16.8-cert1-rc3 | |
| Asterisk Certified Asterisk | =16.8-cert1-rc4 | |
| Asterisk Certified Asterisk | =16.8-cert2 | |
| Asterisk Certified Asterisk | =16.8-cert3 | |
| Asterisk Certified Asterisk | =16.8-cert4 | |
| Asterisk Certified Asterisk | =16.8-cert4-rc1 | |
| Asterisk Certified Asterisk | =16.8-cert4-rc2 | |
| Asterisk Certified Asterisk | =16.8-cert4-rc3 | |
| Asterisk Certified Asterisk | =16.8-cert4-rc4 | |
| Asterisk Certified Asterisk | =16.8-cert5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/161473/Asterisk-Project-Security-Advisory-AST-2021-003.html
- http://seclists.org/fulldisclosure/2021/Feb/59
- https://downloads.asterisk.org/pub/security/
- https://downloads.asterisk.org/pub/security/AST-2021-003.html
- https://issues.asterisk.org/jira/browse/ASTERISK-29260
Frequently Asked Questions
What is CVE-2021-26712?
CVE-2021-26712 is a vulnerability that allows a remote unauthenticated attacker to prematurely terminate secure calls by replaying SRTP packets in Sangoma Asterisk and Certified Asterisk.
What is the severity of CVE-2021-26712?
CVE-2021-26712 has a severity value of 7.5, which is considered high.
Which software versions are affected by CVE-2021-26712?
Sangoma Asterisk versions 13.38.1, 16.16.0, 17.9.1, and 18.2.0, as well as Certified Asterisk version 16.8-cert5, are affected by CVE-2021-26712.
How can an attacker exploit CVE-2021-26712?
An attacker can exploit CVE-2021-26712 by replaying SRTP packets to prematurely terminate secure calls on vulnerable Sangoma Asterisk and Certified Asterisk systems.
Are there any references for CVE-2021-26712?
Yes, you can find more information about CVE-2021-26712 in the following references: [1] http://packetstormsecurity.com/files/161473/Asterisk-Project-Security-Advisory-AST-2021-003.html, [2] http://seclists.org/fulldisclosure/2021/Feb/59, [3] https://downloads.asterisk.org/pub/security/
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/author
- agent/last-modified-date
- agent/references
- agent/severity
- agent/event
- agent/first-publish-date
- agent/description
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/digium
- canonical/asterisk
- version/asterisk/13.0.0
- version/asterisk/13.38.2
- version/asterisk/16.0.0
- version/asterisk/17.0.0
- version/asterisk/18.0
- canonical/asterisk certified asterisk
- version/asterisk certified asterisk/16.8
- version/asterisk certified asterisk/16.8-cert1-rc1
- version/asterisk certified asterisk/16.8-cert1-rc2
- version/asterisk certified asterisk/16.8-cert1-rc3
- version/asterisk certified asterisk/16.8-cert1-rc4
- version/asterisk certified asterisk/16.8-cert2
- version/asterisk certified asterisk/16.8-cert3
- version/asterisk certified asterisk/16.8-cert4
- version/asterisk certified asterisk/16.8-cert4-rc1
- version/asterisk certified asterisk/16.8-cert4-rc2
- version/asterisk certified asterisk/16.8-cert4-rc3
- version/asterisk certified asterisk/16.8-cert4-rc4
- version/asterisk certified asterisk/16.8-cert5