Headline
CVE-2021-46837: AST-2021-006
res_pjsip_t38 in Sangoma Asterisk 16.x before 16.16.2, 17.x before 17.9.3, and 18.x before 18.2.2, and Certified Asterisk before 16.8-cert7, allows an attacker to trigger a crash by sending an m=image line and zero port in a response to a T.38 re-invite initiated by Asterisk. This is a re-occurrence of the CVE-2019-15297 symptoms but not for exactly the same reason. The crash occurs because there is an append operation relative to the active topology, but this should instead be a replace operation.
Asterisk Project Security Advisory - AST-2021-006
Product
Asterisk
Summary
Crash when negotiating T.38 with a zero port
Nature of Advisory
Remote Crash
Susceptibility
Remote Authenticated Sessions
Severity
Minor
Exploits Known
No
Reported On
February 20, 2021
Reported By
Gregory Massel
Posted On
March 4, 2021
Last Updated On
March 4, 2021
Advisory Contact
bford AT sangoma DOT com
CVE Name
CVE-2019-15297
Description
When Asterisk sends a re-invite initiating T.38 faxing and the endpoint responds with a m=image line and zero port, a crash will occur in Asterisk. This is a reoccurrence of AST-2019-004.
Modules Affected
res_pjsip_t38.c
Resolution
If T.38 faxing is not required then setting “t38_udptl” on the endpoint to “no” disables this functionality. This option is “no” by default.
If T.38 faxing is required, then Asterisk should be upgraded to a fixed version.
Affected Versions
Product
Release Series
Asterisk Open Source
16.x
16.16.1
Asterisk Open Source
17.x
17.9.2
Asterisk Open Source
18.x
18.2.1
Certified Asterisk
16.x
16.8-cert6
Corrected In
Product
Release
Asterisk Open Source
16.16.2, 17.9.3, 18.2.2
Certified Asterisk
16.8-cert7
Patches
Patch URL
Revision
https://downloads.digium.com/pub/security/AST-2021-006-16.diff
Asterisk 16
https://downloads.digium.com/pub/security/AST-2021-006-17.diff
Asterisk 17
https://downloads.digium.com/pub/security/AST-2021-006-18.diff
Asterisk 18
https://downloads.digium.com/pub/security/AST-2021-006-16.8.diff
Certified Asterisk 16.8
Links
https://issues.asterisk.org/jira/browse/ASTERISK-29203
https://downloads.asterisk.org/pub/security/AST-2021-006.html
Asterisk Project Security Advisories are posted at http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2021-006.pdf and https://downloads.digium.com/pub/security/AST-2021-006.html
Revision History
Date
Editor
Revisions Made
February 25, 2021
Ben Ford
Initial revision
March 4, 2021
Ben Ford
Added ‘posted on’ date
Asterisk Project Security Advisory - AST-2021-006
Copyright © 02/25/2021 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.
Related news
Debian Linux Security Advisory 5285-1 - Multiple security vulnerabilities have been found in Asterisk, an Open Source Private Branch Exchange. Buffer overflows and other programming errors could be exploited for information disclosure or the execution of arbitrary code.