Published: 18/02/2021 Updated: 24/02/2021

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

An issue exists in Sangoma Asterisk 16.x prior to 16.16.1, 17.x prior to 17.9.2, and 18.x prior to 18.2.1 and Certified Asterisk prior to 16.8-cert6. When re-negotiating for T.38, if the initial remote response was delayed just enough, Asterisk would send both audio and T.38 in the SDP. If this happened, and the remote responded with a declined T.38 stream, then Asterisk would crash.

Vulnerable Product	Search on Vulmon	Subscribe to Product
digium asterisk
digium certified asterisk 16.8

Debian Bug report logs - #983157 asterisk: CVE-2021-26717 Package: src:asterisk; Maintainer for src:asterisk is Debian VoIP Team <pkg-voip-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 20 Feb 2021 06:36:02 UTC Severity: important Tags: security, upstream Found ...

Full Disclosure mailing list archives   By Date By Thread </form>    AST-2021-002: Remote crash possible when negotiating T38   From: ...

NVD-CWE-noinfo http://packetstormsecurity.com/files/161471/Asterisk-Project-Security-Advisory-AST-2021-002.html http://seclists.org/fulldisclosure/2021/Feb/58 https://downloads.asterisk.org/pub/security/https://downloads.asterisk.org/pub/security/AST-2021-002.html https://issues.asterisk.org/jira/browse/ASTERISK-29203 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983157 https://nvd.nist.gov

CVE-2021-26717

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Mailing Lists

References

Vulmon Search

About

Products

Connect