Executive Summary

CVE-2025-54995 is a vulnerability in the Asterisk telephony software where RTP UDP ports and internal resources leak due to improper session termination. Specifically, when Asterisk handles SIP INVITE requests with malformed or fixed branch parameters in the Via header, it fails to properly receive BYE requests, causing calls to remain open and resources like RTP ports and module usage counters to leak. This leads to resource exhaustion, potentially causing denial-of-service (DoS) conditions. The issue affects all transport protocols (UDP, TCP, TLS) and was patched by updating the bundled pjproject library to version 2.15.1, which ensures RTP ports are correctly released after use. [5, 1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to resource exhaustion on systems running vulnerable versions of Asterisk. An attacker can remotely exploit it by sending specially crafted SIP INVITE requests that prevent proper call termination, causing RTP UDP ports and internal resources to leak. Over time, this can exhaust available RTP ports and increase module usage counters, resulting in denial-of-service (DoS) conditions where the telephony service becomes unavailable or unstable. [5, 1, 2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for signs of resource exhaustion related to RTP UDP ports and PJSIP module usage counters on your Asterisk system. Specifically, look for unusually high or continuously increasing RTP port usage and module counters, which indicate leaked resources. Additionally, network traffic analysis can help detect SIP INVITE requests with malformed or fixed branch parameters in the Via header (e.g., branch=012345678) that prevent proper session termination. A proof-of-concept exploit uses the SIPp tool to send such INVITE requests. Therefore, commands to monitor system resource usage (e.g., netstat or ss to check UDP port usage), and Asterisk CLI commands to check PJSIP module counters can be useful. For example, within Asterisk CLI, commands like `pjsip show endpoints` or `pjsip show channels` may help identify stuck or leaked sessions. On the network side, using packet capture tools like tcpdump or Wireshark to filter SIP INVITE messages with suspicious branch parameters can assist detection. [5]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Asterisk to a patched version where this vulnerability is fixed, specifically versions 18.26.4 or 18.9-cert17 or later. These versions include an updated bundled pjproject library (version 2.15.1) that properly releases RTP UDP ports and internal resources, preventing resource exhaustion. Until the upgrade can be applied, monitor and limit incoming SIP INVITE requests with malformed or fixed branch parameters to reduce exploitation risk. Applying network-level filtering or rate limiting on SIP traffic may help mitigate attacks. Also, review and adjust dialplan logic to ensure proper call termination where possible. Ultimately, upgrading to the fixed versions is the recommended and effective mitigation. [1, 2, 5]

Useful 0 Not Useful 0