CVE-2021-37706

CVE	CVE-2021-37706
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-12-22 18:15:00 UTC
Updated	2023-08-30 01:15:00 UTC
Description	PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all users that use STUN. A malicious actor located within the victim’s network may forge and send a specially crafted UDP (STUN) message that could remotely execute arbitrary code on the victim’s machine. Users are advised to upgrade as soon as possible. There are no known workarounds.

Problem Types: CWE-191

Type	Vendor	Product	Version	Update	Edition	Language
Application	Asterisk	Certified Asterisk	All	All	All	All
Application	Asterisk	Certified Asterisk	16.8.0	All	All	All
Application	Asterisk	Certified Asterisk	16.8.0	cert1	All	All
Application	Asterisk	Certified Asterisk	16.8.0	cert10	All	All
Application	Asterisk	Certified Asterisk	16.8.0	cert11	All	All
Application	Asterisk	Certified Asterisk	16.8.0	cert12	All	All
Application	Asterisk	Certified Asterisk	16.8.0	cert2	All	All
Application	Asterisk	Certified Asterisk	16.8.0	cert3	All	All
Application	Asterisk	Certified Asterisk	16.8.0	cert4	All	All
Application	Asterisk	Certified Asterisk	16.8.0	cert5	All	All
Application	Asterisk	Certified Asterisk	16.8.0	cert6	All	All
Application	Asterisk	Certified Asterisk	16.8.0	cert7	All	All
Application	Asterisk	Certified Asterisk	16.8.0	cert8	All	All
Application	Asterisk	Certified Asterisk	16.8.0	cert9	All	All
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Application	Sangoma	Asterisk	All	All	All	All
Application	Teluu	Pjsip	All	All	All	All

Reference	Source	Link	Tags
Potential integer underflow upon receiving STUN message · Advisory · pjsip/pjproject · GitHub	CONFIRM	github.com
Full Disclosure: AST-2022-004: pjproject: integer underflow on STUN message	FULLDISC	seclists.org
[SECURITY] [DLA 2962-1] pjproject security update	MLIST	lists.debian.org
PJSIP: Multiple Vulnerabilities (GLSA 202210-37) — Gentoo security	GENTOO	security.gentoo.org
Merge pull request from GHSA-2qpg-f6wf-w984 · pjsip/pjproject@15663e3 · GitHub	MISC	github.com
[SECURITY] [DLA 3549-1] ring security update	MLIST	lists.debian.org
Debian -- Security Information -- DSA-5285-1 asterisk	DEBIAN	www.debian.org
[SECURITY] [DLA 3194-1] asterisk security update	MLIST	lists.debian.org
Asterisk Project Security Advisory - AST-2022-004 ≈ Packet Storm	MISC	packetstormsecurity.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

179161 Debian Security Update for pjproject (DLA 2962-1)
181225 Debian Security Update for asterisk (DLA 3194-1)
181237 Debian Security Update for asterisk (DSA 5285-1)
182517 Debian Security Update for ring (CVE-2021-37706)
199817 Ubuntu Security Notification for Ring Vulnerabilities (USN-6422-1)
199901 Ubuntu Security Notification for Ring Vulnerabilities (USN-6422-2)
502231 Alpine Linux Security Update for pjproject
504292 Alpine Linux Security Update for pjproject
6000045 Debian Security Update for ring (DLA 3549-1)
690808 Free Berkeley Software Distribution (FreeBSD) Security Update for asterisk (964c5460-9c66-11ec-ad3a-001999f8d30b)
710674 Gentoo Linux PJSIP Multiple Vulnerabilities (GLSA 202210-37)