EUVD-2024-54632
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
Lifecycle Timeline
3Tags
Description
Information disclosure may occur while processing goodbye RTCP packet from network.
Analysis
CVE-2024-53021 is an information disclosure vulnerability in RTCP (Real-time Transport Control Protocol) packet processing that allows unauthenticated remote attackers to leak sensitive data through malicious goodbye (BYE) RTCP packets. The vulnerability affects multiple VoIP and real-time communication products processing RTCP traffic; attackers can extract confidential information across the network without authentication or user interaction, and may also cause limited availability impact. The high CVSS score of 8.2 reflects the severe confidentiality impact and network-based attack vector, though exploitation complexity is low.
Technical Context
RTCP (Real-time Transport Control Protocol, RFC 3550) is a companion protocol to RTP used for control and feedback in multimedia streaming applications. The vulnerability exists in RTCP BYE (goodbye) packet processing logic, a fundamental control message that indicates a participant is leaving an RTP session. CWE-126 (Buffer Over-read) indicates the root cause involves reading beyond intended buffer boundaries during RTCP packet parsing, likely when handling malformed BYE packet payloads or option fields. This buffer over-read can expose adjacent memory containing session keys, authentication tokens, codec parameters, or other sensitive RTP/RTCP session data. The vulnerability chain involves: (1) receipt of network RTCP BYE packet, (2) insufficient bounds checking during deserialization, (3) out-of-bounds memory access leaking heap or stack data. Affected products typically include VoIP endpoints (SIP phones, softphones), media servers, RTC libraries, and unified communications platforms that implement RTCP per RFC 3550.
Affected Products
The CVE description does not specify vendor names or products, and no CPE strings were provided in the input. Based on the RTCP processing vulnerability class, potential affected categories include: (1) VoIP/UCaaS platforms (Cisco Webex, Microsoft Teams media stack, Zoom RTC engine, Avaya Communication Manager), (2) Open-source RTC libraries (libsrtp, pjsip, asterisk), (3) WebRTC implementations (Chromium, Firefox media engines), (4) Enterprise PBX systems, (5) Media servers (FreeSWITCH, Kamailio). Without vendor advisory references or CPE data provided, a precise affected product list cannot be constructed. Immediate action: check vendor advisories for RFC 3550 RTCP implementations and query NVD CPE records using CVE-2024-53021 identifier for authoritative product versions.
Remediation
Specific patch information was not provided in the input. Remediation steps follow standard vulnerability response: (1) Consult vendor security advisories linked to CVE-2024-53021 for affected product versions and patched releases, (2) Apply security patches immediately to production systems, prioritizing media servers and SIP endpoints, (3) If patches unavailable, implement network-level RTCP filtering/monitoring to detect malformed BYE packets using DPI (deep packet inspection) rules that validate RTCP packet structure per RFC 3550, (4) Disable RTCP BYE processing if operationally feasible, falling back to session timeout mechanisms, (5) Isolate RTP sessions to trusted networks with firewall rules restricting RTCP traffic to known peer ranges, (6) Monitor for exploit attempts: log RTCP parsing errors, malformed packet drops, and memory access violations. Escalate to vendor support for specific patch timelines and zero-day guidance if production instances cannot be patched immediately.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today