Vulnerability CVE-2016-9938


Published: 2016-12-12

Description:
An issue was discovered in Asterisk Open Source 11.x before 11.25.1, 13.x before 13.13.1, and 14.x before 14.2.1 and Certified Asterisk 11.x before 11.6-cert16 and 13.x before 13.8-cert4. The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace. This means that headers such as Contact\x01: will be seen as a valid Contact header. This mostly does not pose a problem until Asterisk is placed in tandem with an authenticating SIP proxy. In such a case, a crafty combination of valid and invalid To headers can cause a proxy to allow an INVITE request into Asterisk without authentication since it believes the request is an in-dialog request. However, because of the bug described above, the request will look like an out-of-dialog request to Asterisk. Asterisk will then process the request as a new call. The result is that Asterisk can process calls from unvetted sources without any authentication. If you do not use a proxy for authentication, then this issue does not affect you. If your proxy is dialog-aware (meaning that the proxy keeps track of what dialogs are currently valid), then this issue does not affect you. If you use chan_pjsip instead of chan_sip, then this issue does not affect you.

Vendor: Asterisk
Product: Open source 
Version:
14.2.0
14.1.2
14.1.1
14.1.0
14.0.2
14.0.1
14.0.0
13.9.1
13.9.0
13.8.2
13.8.1
13.8.0
13.7.2
13.7.1
13.7.0
13.6.0
13.5.0
13.4.0
13.3.2
13.3.1
13.3.0
13.2.1
13.2.0
13.13.0
13.12.2
13.12.1
13.12.0
13.11.2
13.11.1
13.11.0
13.10.0
13.1.1
13.1.0
13.0.2
13.0.1
13.0.0
11.9.0
11.8.1
11.8.0
11.7.0
11.6.1
11.6.0
11.5.1
11.5.0
11.4.0
11.3.0
11.25.0
11.24.1
See more versions on NVD
Vendor: Digium
Product: Asterisk 
Version:
14.2.0
14.1.2
14.1.1
14.1.0
14.0.2
14.0.1
14.0.0
13.9.1
13.9.0
13.8.2
13.8.1
13.8.0
13.7.2
13.7.1
13.7.0
13.6.0
13.5.0
13.4.0
13.3.2
13.3.1
13.3.0
13.2.1
13.2.0
13.13.0
13.12.2
13.12.1
13.12.0
13.11.2
13.11.1
13.11.0
13.10.0
13.1.1
13.1.0
13.0.2
13.0.1
13.0.0
11.9.0
11.8.1
11.8.0
11.7.0
11.6.1
11.6.0
11.5.1
11.5.0
11.4.0
11.3.0
11.25.0
See more versions on NVD
Product: Certified asterisk 
Version:
11.6.0
11.6
11.5.0
11.4.0
11.3.0
See more versions on NVD

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
http://downloads.asterisk.org/pub/security/AST-2016-009.html
http://www.securityfocus.com/bid/94789
http://www.securitytracker.com/id/1037408

Related CVE
CVE-2019-12827
Buffer overflow in res_pjsip_messaging in Digium Asterisk versions 13.21-cert3, 13.27.0, 15.7.2, 16.4.0 and earlier allows remote authenticated users to crash Asterisk by sending a specially crafted SIP MESSAGE message.
CVE-2016-7550
asterisk 13.10.0 is affected by: denial of service issues in asterisk. The impact is: cause a denial of service (remote).
CVE-2019-7251
An Integer Signedness issue (for a return code) in the res_pjsip_sdp_rtp module in Digium Asterisk versions 15.7.1 and earlier and 16.1.1 and earlier allows remote authenticated users to crash Asterisk via a specially crafted SDP protocol violation.
CVE-2018-19278
Buffer overflow in DNS SRV and NAPTR lookups in Digium Asterisk 15.x before 15.6.2 and 16.x before 16.0.1 allows remote attackers to crash Asterisk via a specially crafted DNS SRV or NAPTR response, because a buffer size is supposed to match an expan...
CVE-2018-17281
There is a stack consumption vulnerability in the res_http_websocket.so module of Asterisk through 13.23.0, 14.7.x through 14.7.7, and 15.x through 15.6.0 and Certified Asterisk through 13.21-cert2. It allows an attacker to crash Asterisk via a speci...
CVE-2018-12227
An issue was discovered in Asterisk Open Source 13.x before 13.21.1, 14.x before 14.7.7, and 15.x before 15.4.1 and Certified Asterisk 13.18-cert before 13.18-cert4 and 13.21-cert before 13.21-cert2. When endpoint specific ACL rules block a SIP reque...
CVE-2018-7287
An issue was discovered in res_http_websocket.c in Asterisk 15.x through 15.2.1. If the HTTP server is enabled (default is disabled), WebSocket payloads of size 0 are mishandled (with a busy loop).
CVE-2018-7286
An issue was discovered in Asterisk through 13.19.1, 14.x through 14.7.5, and 15.x through 15.2.1, and Certified Asterisk through 13.18-cert2. res_pjsip allows remote authenticated users to crash Asterisk (segmentation fault) by sending a number of S...

Copyright 2019, cxsecurity.com

 

Back to Top