CVE-2021-43299
📋 TL;DR
CVE-2021-43299 is a critical stack-based buffer overflow vulnerability in the PJSUA API of the pjproject library, triggered when calling pjsua_player_create with a maliciously long filename argument. This allows remote attackers to execute arbitrary code or cause denial-of-service on systems using vulnerable versions of the library. It affects applications that utilize the PJSUA API for media playback, such as VoIP and multimedia software.
💻 Affected Systems
- pjproject
- applications using PJSUA API (e.g., VoIP software, media players)
📦 What is this software?
Pjsip by Teluu
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to full system compromise, enabling attackers to install malware, steal data, or pivot to other systems.
Likely Case
Denial-of-service crashes or potential remote code execution in exposed applications, depending on exploitability and mitigations like ASLR.
If Mitigated
Limited to denial-of-service if exploit fails or controls like input validation are implemented, reducing impact to service disruption.
🎯 Exploit Status
Exploitation is straightforward due to lack of input validation; public proof-of-concept code exists, increasing risk of weaponization in attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.12.1 and later
Vendor Advisory: https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9
Restart Required: Yes
Instructions:
1. Update pjproject to version 2.12.1 or later. 2. For Debian systems, apply security updates via 'apt-get update && apt-get upgrade'. 3. Restart affected applications or services to apply the patch.
🔧 Temporary Workarounds
Input Validation for Filenames
allImplement strict input validation to limit filename length and characters before passing to pjsua_player_create.
# Example: In application code, validate filename length (e.g., max 255 chars) and sanitize input.
Disable Vulnerable Functionality
allIf possible, disable or restrict usage of pjsua_player_create in applications until patched.
# Modify application configuration or code to avoid calling pjsua_player_create with untrusted inputs.
🧯 If You Can't Patch
- Isolate affected systems in a segmented network to limit exposure and prevent lateral movement.
- Implement strict firewall rules to block unnecessary network access to applications using the vulnerable API.
🔍 How to Verify
Check if Vulnerable:
Check the pjproject version; if below 2.12.1, it is vulnerable. Use 'pkg-config --modversion pjproject' or inspect library files.Check Version:
pkg-config --modversion pjproject 2>/dev/null || grep -i version /usr/include/pjlib.h 2>/dev/nullVerify Fix Applied:
After updating, confirm version is 2.12.1 or higher using the same command and test that pjsua_player_create no longer overflows with long filenames.📡 Detection & Monitoring
Log Indicators:
- Application crashes or segmentation faults in logs related to pjsua_player_create calls
- Unusual long filename inputs in application logs
Network Indicators:
- Anomalous network traffic to services using PJSUA API, especially with large payloads
SIEM Query:
Example: 'source=*log* AND ("segmentation fault" OR "buffer overflow") AND "pjsua"'🔗 References
- https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9
- https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
- https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
- https://www.debian.org/security/2022/dsa-5285
- https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9
- https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
- https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
- https://lists.debian.org/debian-lts-announce/2024/09/msg00030.html
- https://www.debian.org/security/2022/dsa-5285
