Asterisk PJSIP Remote DoS Vulnerability (AST-2021-005)

Vulnerability Summary Product: Asterisk Vulnerability Type: Remote Crash Vulnerability (PJSIP Channel Driver) Impact: Denial of Service Vulnerability Type: Remote Unauthenticated Session Severity: Medium Known Exploits: None Report Date: December 4, 2020 Reporter: Mauri de Souza Meneguzzo (3CPlus) Release Date: February 8, 2021 Last Updated: February 8, 2021 Description When Asterisk initiates an outbound call to a remote SIP server, a crash may occur. The SDP negotiation code incorrectly assumes that SDP negotiation always succeeds in SIP responses, which can lead to a crash. Affected Modules res_pjsip_session.c PJSIP Solution This issue has been fixed in PJSIP by modifying the behavior of the function. The vulnerability can only be resolved by upgrading to a fixed version or applying the provided patches. Affected Versions Asterisk Open Source: All versions of 13.x, 16.x, 17.x, 18.x Certified Asterisk: All versions of 16.x Fixed Versions Asterisk Open Source: 13.38.2, 16.16.1, 17.9.2, 18.2.1 Certified Asterisk: 16.8-cert6 Patch Links https://downloads.asterisk.org/pub/security/AST-2021-005-13.diff https://downloads.asterisk.org/pub/security/AST-2021-005-16.diff https://downloads.asterisk.org/pub/security/AST-2021-005-17.diff https://downloads.asterisk.org/pub/security/AST-2021-005-18.diff https://downloads.asterisk.org/pub/security/AST-2021-005-16.8.diff

Goal Reached Thanks to every supporter — we hit 100%!

Asterisk PJSIP Remote DoS Vulnerability (AST-2021-005)