AST-2015-001: File descriptor leak when incompatible codecs are offered

From: Asterisk Security Team <>
Subject: AST-2015-001: File descriptor leak when incompatible codecs are offered

               Asterisk Project Security Advisory - AST-2015-001

         Product        Asterisk                                              
         Summary        File descriptor leak when incompatible codecs are     
    Nature of Advisory  Resource exhaustion                                   
      Susceptibility    Remote Authenticated Sessions                         
         Severity       Major                                                 
      Exploits Known    No                                                    
       Reported On      6 January, 2015                                       
       Reported By      Y Ateya                                               
        Posted On       9 January, 2015                                       
     Last Updated On    January 28, 2015                                      
     Advisory Contact   Mark Michelson <mmichelson AT digium DOT com>         
         CVE Name       Pending                                               

    Description  Asterisk may be configured to only allow specific audio or   
                 video codecs to be used when communicating with a            
                 particular endpoint. When an endpoint sends an SDP offer     
                 that only lists codecs not allowed by Asterisk, the offer    
                 is rejected. However, in this case, RTP ports that are       
                 allocated in the process are not reclaimed.                  
                 This issue only affects the PJSIP channel driver in          
                 Asterisk. Users of the chan_sip channel driver are not       
                 As the resources are allocated after authentication, this    
                 issue only affects communications with authenticated         

    Resolution  The reported leak has been patched.                           

                               Affected Versions       
                         Product                       Release  
                  Asterisk Open Source                  1.8.x   Unaffected    
                  Asterisk Open Source                  11.x    Unaffected    
                  Asterisk Open Source                  12.x    All versions  
                  Asterisk Open Source                  13.x    All versions  
                   Certified Asterisk                  1.8.28   Unaffected    
                   Certified Asterisk                   11.6    Unaffected    

                                  Corrected In                
                            Product                              Release      
                      Asterisk Open Source                    12.8.1, 13.1.1  

                                SVN URL                              Revision   Asterisk 
                                                                     12    Asterisk 


    Asterisk Project Security Advisories are posted at                                                             
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                             and                        

                                Revision History
         Date            Editor                  Revisions Made               
    9 January, 2015  Mark Michelson  Initial creation                         

               Asterisk Project Security Advisory - AST-2015-001
              Copyright (c) 2015 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

Copyright © 1995-2020 All rights reserved.