Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-15297: AST-2019-004

res_pjsip_t38 in Sangoma Asterisk 15.x before 15.7.4 and 16.x before 16.5.1 allows an attacker to trigger a crash by sending a declined stream in a response to a T.38 re-invite initiated by Asterisk. The crash occurs because of a NULL session media object dereference.

CVE
Open in Source
#js#pdf#auth#jira

Asterisk Project Security Advisory - AST-2019-004

Product

Asterisk

Summary

Crash when negotiating for T.38 with a declined stream

Nature of Advisory

Remote Crash

Susceptibility

Remote Authenticated Sessions

Severity

Minor

Exploits Known

No

Reported On

August 05, 2019

Reported By

Alexei Gradinari

Posted On

September 05, 2019

Last Updated On

September 4, 2019

Advisory Contact

kharwell AT sangoma DOT com

CVE Name

CVE-2019-15297

Description

When Asterisk sends a re-invite initiating T.38 faxing, and the endpoint responds with a declined media stream a crash will then occur in Asterisk.

Modules Affected

res_pjsip_t38.c

Resolution

If T.38 faxing is not required then setting the “t38_udptl” configuration option on the endpoint to “no” disables this functionality. This option defaults to “no” so you have to have explicitly set it “yes” to potentially be affected by this issue.

Otherwise, if T.38 faxing is required then Asterisk should be upgraded to a fixed version.

Affected Versions

Product

Release Series

Asterisk Open Source

15.x

All releases

Asterisk Open Source

16.x

All releases

Corrected In

Product

Release

Asterisk Open Source

15.7.4,16.5.1

Patches

SVN URL

Revision

http://downloads.asterisk.org/pub/security/AST-2019-004-15.diff

Asterisk 15

http://downloads.asterisk.org/pub/security/AST-2019-004-16.diff

Asterisk 16

Links

https://issues.asterisk.org/jira/browse/ASTERISK-28495

Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2019-004.pdf and http://downloads.digium.com/pub/security/AST-2019-004.html

Revision History

Date

Editor

Revisions Made

August 28, 2019

Kevin Harwell

Initial revision

Asterisk Project Security Advisory - AST-2019-004
Copyright © 2019 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE