Login Sign Up

CVE-2021-37706

7.3 HIGH
Remote Code Execution

📋 TL;DR

CVE-2021-37706 is an integer underflow vulnerability in PJSIP's STUN message processing that allows remote code execution. Attackers on the same network can send specially crafted UDP packets to execute arbitrary code on vulnerable systems. All users of PJSIP with STUN enabled are affected.

💻 Affected Systems

Products:
  • PJSIP (pjproject)
  • Asterisk PBX
  • Other software using PJSIP library
Versions: All versions before commit 15663e3f37091069b8c98a7fce680dc04bc8e865
Operating Systems: All platforms running PJSIP
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with STUN functionality enabled/used. Many VoIP/PBX systems use PJSIP.

📦 What is this software?

Asterisk by Sangoma

View all CVEs affecting Asterisk →

Asterisk by Sangoma

View all CVEs affecting Asterisk →

Asterisk by Sangoma

View all CVEs affecting Asterisk →

Certified Asterisk by Asterisk

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Asterisk

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Asterisk

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Asterisk

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Asterisk

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Asterisk

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Asterisk

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Asterisk

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Asterisk

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Asterisk

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Asterisk

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Asterisk

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Asterisk

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Asterisk

View all CVEs affecting Certified Asterisk →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Pjsip by Teluu

View all CVEs affecting Pjsip →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution with system compromise, allowing attacker to install malware, exfiltrate data, or pivot to other systems.

🟠

Likely Case

Service disruption through denial of service or limited code execution within the PJSIP process context.

🟢

If Mitigated

Network segmentation prevents exploitation; vulnerable systems isolated from untrusted networks remain protected.

🌐 Internet-Facing: MEDIUM - Requires UDP/STUN port exposure and attacker ability to send crafted packets, but many implementations are behind NAT/firewalls.
🏢 Internal Only: HIGH - Internal attackers or compromised internal systems can exploit this easily via local network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit requires network access to STUN port (typically UDP 3478 or configured port). Proof of concept available in public disclosures.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions with commit 15663e3f37091069b8c98a7fce680dc04bc8e865 or later

Vendor Advisory: https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984

Restart Required: Yes

Instructions:

1. Update PJSIP to latest version or apply commit 15663e3f37091069b8c98a7fce680dc04bc8e865. 2. Recompile and reinstall. 3. Restart all services using PJSIP. 4. For Asterisk: update to patched version per AST-2022-004 advisory.

🔧 Temporary Workarounds

Disable STUN

all

Disable STUN functionality in PJSIP configuration if not required

# Edit PJSIP config to disable STUN
# For Asterisk: set 'icesupport=no' in pjsip.conf

Network filtering

linux

Block UDP STUN traffic at network perimeter

# Example iptables rule: iptables -A INPUT -p udp --dport 3478 -j DROP
# Adjust port based on your configuration

🧯 If You Can't Patch

  • Segment network to isolate PJSIP systems from untrusted networks
  • Implement strict firewall rules to allow STUN traffic only from trusted sources

🔍 How to Verify

Check if Vulnerable:

Check PJSIP version or git commit hash. If using pre-commit 15663e3f37091069b8c98a7fce680dc04bc8e865, vulnerable.

Check Version:

pkg-config --modversion libpjproject || check software version using PJSIP

Verify Fix Applied:

Verify commit 15663e3f37091069b8c98a7fce680dc04bc8e865 is present in source or check version against patched releases.

📡 Detection & Monitoring

Log Indicators:

  • STUN error messages
  • Process crashes in PJSIP/Asterisk logs
  • Unexpected memory access errors

Network Indicators:

  • Malformed STUN packets with ERROR-CODE attribute
  • UDP traffic to STUN ports with unusual patterns

SIEM Query:

source="*pjsip*" OR source="*asterisk*" AND ("crash" OR "segfault" OR "STUN error")

📊 Metadata

CVE ID: CVE-2021-37706
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-191
Published: December 22, 2021
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37706, you might also want to check these:

CVE-2025-29909 9.8

A heap buffer overflow vulnerability in CryptoLib's Crypto_TC_ApplySecurity() function allows attack...

Same vulnerability type (CWE-191)
CVE-2020-3691 9.8

This vulnerability allows integer underflow in Qualcomm Snapdragon audio processing, potentially lea...

Same vulnerability type (CWE-191)
CVE-2023-21708 9.8

This is a critical Remote Procedure Call Runtime vulnerability that allows unauthenticated attackers...

Same vulnerability type (CWE-191)