NA

CVE-2019-13161

Published: 12/07/2019 Updated: 13/07/2019

Vulnerability Summary

An issue exists in Asterisk Open Source up to and including 13.27.0, 14.x and 15.x up to and including 15.7.2, and 16.x up to and including 16.4.0, and Certified Asterisk up to and including 13.21-cert3. A pointer dereference in chan_sip while handling SDP negotiation allows an malicious user to crash Asterisk when handling an SDP answer to an outgoing T.38 re-invite. To exploit this vulnerability an attacker must cause the chan_sip module to send a T.38 re-invite request to them. Upon receipt, the attacker must send an SDP answer containing both a T.38 UDPTL stream and another media stream containing only a codec (which is not permitted according to the chan_sip configuration).

Vulnerability Trend

Vendor Advisories

Debian Bug report logs - #931981 asterisk: CVE-2019-13161: AST-2019-003: Remote Crash Vulnerability in chan_sip channel driver Package: asterisk; Maintainer for asterisk is Debian VoIP Team <pkg-voip-maintainers@listsaliothdebianorg>; Source for asterisk is src:asterisk (PTS, buildd, popcon) Reported by: Salvatore Bonacco ...
Debian Bug report logs - #931980 asterisk: CVE-2019-12827: AST-2019-002: Remote crash vulnerability with MESSAGE messages Package: asterisk; Maintainer for asterisk is Debian VoIP Team <pkg-voip-maintainers@listsaliothdebianorg>; Source for asterisk is src:asterisk (PTS, buildd, popcon) Reported by: Salvatore Bonaccorso & ...

Mailing Lists

Asterisk Project Security Advisory - AST-2019-003 Product Asterisk Summary Remote Crash Vulnerability in chan_sip channel driver Nature of Advisory Denial of Service ...
Asterisk Project Security Advisory - AST-2019-003 Product Asterisk Summary Remote Crash Vulnerability in chan_sip channel driver Nature of Advisory Denial of Service ...