Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

asterisk: CVE-2021-46837 AST-2021-006 crash when receiving m=image 0 udptl t38 re-invite fixed in 16.16.2

Related Vulnerabilities: CVE-2021-46837   CVE-2019-15297  

Source

Debian Bug report logs - #1018073
asterisk: CVE-2021-46837 AST-2021-006 crash when receiving m=image 0 udptl t38 re-invite fixed in 16.16.2

version graph

Package: asterisk; Maintainer for asterisk is Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>; Source for asterisk is src:asterisk (PTS, buildd, popcon).

Reported by: Benoit Panizzon <panizzon@woody.ch>

Date: Thu, 25 Aug 2022 08:51:01 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Found in versions asterisk/1:16.16.1~dfsg-1+deb11u1, asterisk/1:16.16.1~dfsg-1

Fixed in version asterisk/1:18.9.0~dfsg+~cs6.10.40431411-1

Done: Salvatore Bonaccorso <carnil@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#1018073; Package asterisk. (Thu, 25 Aug 2022 08:51:03 GMT) (full text, mbox, link).

Acknowledgement sent to Benoit Panizzon <panizzon@woody.ch>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Thu, 25 Aug 2022 08:51:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Benoit Panizzon <panizzon@woody.ch>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: asterisk: CVE-2019-15297 AST-2021-006 crash when receiving m=image 0 udptl t38 re-invite fixed in 16.16.2
Date: Thu, 25 Aug 2022 10:39:53 +0200
Package: asterisk
Version: 1:16.16.1~dfsg-1+deb11u1
Severity: grave
Tags: security
Justification: causes non-serious data loss
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>

Dear Maintainer,

I noticed my asterisk crashing when receiving a re-invite with

m=image 0 udptl t38

from non t38 aware clients like certains snom and Grandstream phones calling the Application ReceiveFax.

Turns out this is a known security issue that has been fixed:

https://downloads.asterisk.org/pub/security/AST-2021-006.html

Please also push 16.16.2 to the debian security updates.

-Benoit-

-- System Information:
Debian Release: 11.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-14-amd64 (SMP w/4 CPU threads)
Locale: LANG=de_CH.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8), LANGUAGE=de_CH:de
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages asterisk depends on:
ii  adduser                  3.118
ii  asterisk-config          1:16.16.1~dfsg-1+deb11u1
ii  asterisk-core-sounds-en  1.6.1-1
ii  asterisk-modules         1:16.16.1~dfsg-1+deb11u1
ii  libc6                    2.31-13+deb11u3
ii  libcap2                  1:2.44-1
ii  libcrypt1                1:4.4.18-4
ii  libedit2                 3.1-20191231-2+b1
ii  libjansson4              2.13.1-1.1
ii  libpopt0                 1.18-2
ii  libsqlite3-0             3.34.1-3
ii  libssl1.1                1.1.1n-0+deb11u3
ii  libsystemd0              247.3-7
ii  liburiparser1            0.9.4+dfsg-1+deb11u1
ii  libuuid1                 2.36.1-8+deb11u1
ii  libxml2                  2.9.10+dfsg-6.7+deb11u2
ii  libxslt1.1               1.1.34-4+deb11u1
ii  lsb-base                 11.1.0

Versions of packages asterisk recommends:
ii  asterisk-moh-opsound-gsm                         2.03-1.1
ii  asterisk-voicemail [asterisk-voicemail-storage]  1:16.16.1~dfsg-1+deb11u1
ii  sox                                              14.4.2+git20190427-2

Versions of packages asterisk suggests:
pn  asterisk-dahdi   <none>
pn  asterisk-dev     <none>
pn  asterisk-doc     <none>
pn  asterisk-ooh423  <none>
ii  asterisk-opus    13.7+20171009-2
pn  asterisk-vpb     <none>

-- no debconf information

Added tag(s) upstream and fixed-upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 25 Aug 2022 19:03:01 GMT) (full text, mbox, link).

Marked as fixed in versions asterisk/1:18.9.0~dfsg+~cs6.10.40431411-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 25 Aug 2022 19:03:06 GMT) (full text, mbox, link).

Marked Bug as done Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 25 Aug 2022 19:03:07 GMT) (full text, mbox, link).

Notification sent to Benoit Panizzon <panizzon@woody.ch>:
Bug acknowledged by developer. (Thu, 25 Aug 2022 19:03:08 GMT) (full text, mbox, link).

Message sent on to Benoit Panizzon <panizzon@woody.ch>:
Bug#1018073. (Thu, 25 Aug 2022 19:03:16 GMT) (full text, mbox, link).

Message #16 received at 1018073-submitter@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: control@bugs.debian.org
Cc: 1018073-submitter@bugs.debian.org
Subject: closing 1018073
Date: Thu, 25 Aug 2022 21:02:11 +0200
close 1018073 1:18.9.0~dfsg+~cs6.10.40431411-1
thanks

Marked as found in versions asterisk/1:16.16.1~dfsg-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 25 Aug 2022 19:09:07 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#1018073; Package asterisk. (Thu, 25 Aug 2022 19:15:11 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Thu, 25 Aug 2022 19:15:11 GMT) (full text, mbox, link).

Message #23 received at 1018073@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Benoit Panizzon <panizzon@woody.ch>, 1018073@bugs.debian.org
Subject: Re: Bug#1018073: asterisk: CVE-2019-15297 AST-2021-006 crash when receiving m=image 0 udptl t38 re-invite fixed in 16.16.2
Date: Thu, 25 Aug 2022 21:12:01 +0200
Hi

I'm not sure it make sense that the CVE-2019-15297 was used both for
AST-2019-004 and AST-2021-006. I asked MITRE CNA to see if there is a
reason not to assign a new CVE for AST-2021-006.

I suspect many have missed otherwise the update through AST-2021-006
because did already tracked the CVE-2019-15297 / AST-2019-004 and
updated packages accordingly (which happened in Debian with the
1:16.10.0~dfsg-1 and 1:16.2.1~dfsg-1+deb10u2 updates).

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#1018073; Package asterisk. (Fri, 26 Aug 2022 07:39:02 GMT) (full text, mbox, link).

Acknowledgement sent to Benoît Panizzon <panizzon@woody.ch>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Fri, 26 Aug 2022 07:39:02 GMT) (full text, mbox, link).

Message #28 received at 1018073@bugs.debian.org (full text, mbox, reply):

From: Benoît Panizzon <panizzon@woody.ch>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 1018073@bugs.debian.org
Subject: Re: Bug#1018073: asterisk: CVE-2019-15297 AST-2021-006 crash when receiving m=image 0 udptl t38 re-invite fixed in 16.16.2
Date: Fri, 26 Aug 2022 09:28:01 +0200
Hi Salvatore

> I'm not sure it make sense that the CVE-2019-15297 was used both for
> AST-2019-004 and AST-2021-006. I asked MITRE CNA to see if there is a
> reason not to assign a new CVE for AST-2021-006.
> 
> I suspect many have missed otherwise the update through AST-2021-006
> because did already tracked the CVE-2019-15297 / AST-2019-004 and
> updated packages accordingly (which happened in Debian with the
> 1:16.10.0~dfsg-1 and 1:16.2.1~dfsg-1+deb10u2 updates).

Thank you for looking into the issue. You closed the bug. I'm not sure
what this now means as the issue is present in the actual debian
'stable' version of Asterisk and can be exploited by a caller.

So is there going to be a security update for that issue?

-Benoît-

Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#1018073; Package asterisk. (Fri, 26 Aug 2022 07:54:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Fri, 26 Aug 2022 07:54:04 GMT) (full text, mbox, link).

Message #33 received at 1018073@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Benoît Panizzon <panizzon@woody.ch>
Cc: 1018073@bugs.debian.org
Subject: Re: Bug#1018073: asterisk: CVE-2019-15297 AST-2021-006 crash when receiving m=image 0 udptl t38 re-invite fixed in 16.16.2
Date: Fri, 26 Aug 2022 09:51:33 +0200
Hi Benoit,

On Fri, Aug 26, 2022 at 09:28:01AM +0200, Benoît Panizzon wrote:
> Hi Salvatore
> 
> > I'm not sure it make sense that the CVE-2019-15297 was used both for
> > AST-2019-004 and AST-2021-006. I asked MITRE CNA to see if there is a
> > reason not to assign a new CVE for AST-2021-006.
> > 
> > I suspect many have missed otherwise the update through AST-2021-006
> > because did already tracked the CVE-2019-15297 / AST-2019-004 and
> > updated packages accordingly (which happened in Debian with the
> > 1:16.10.0~dfsg-1 and 1:16.2.1~dfsg-1+deb10u2 updates).
> 
> Thank you for looking into the issue. You closed the bug. I'm not sure
> what this now means as the issue is present in the actual debian
> 'stable' version of Asterisk and can be exploited by a caller.

This is not a problem, BTS has version tracking and the bug is closed
in a specific upper version containing the fix. Debian BTS can then
close a bug in multiple version, e.g. when it get fixed as well in
stable.

https://bugs.debian.org/cgi-bin/version.cgi?collapse=1;absolute=0;fixed=asterisk%2F1%3A18.9.0~dfsg%2B~cs6.10.40431411-1;info=1;package=asterisk;found=asterisk%2F1%3A16.16.1~dfsg-1%2Bdeb11u1;found=asterisk%2F1%3A16.16.1~dfsg-1

> So is there going to be a security update for that issue?

We have asterisk on the so called dsa-needed list, meaning it is aimed
to have a security update for asterisk for bullseye:

https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/data/dsa-needed.txt

Regards,
Salvatore

Changed Bug title to 'asterisk: CVE-2021-46837 AST-2021-006 crash when receiving m=image 0 udptl t38 re-invite fixed in 16.16.2' from 'asterisk: CVE-2019-15297 AST-2021-006 crash when receiving m=image 0 udptl t38 re-invite fixed in 16.16.2'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 30 Aug 2022 07:30:02 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Aug 30 13:19:09 2022; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started