Denial of Service Vulnerability in Sangoma Asterisk Software
CVE-2021-46837

6.5MEDIUM

Key Information:

Vendor
Asterisk
Status
Certified Asterisk
Asterisk
Vendor
CVE Published:
30 August 2022

Summary

Sangoma Asterisk versions prior to 16.16.2, 17.9.3, and 18.2.2 are susceptible to a denial of service vulnerability in the res_pjsip_t38 component. An attacker can induce a crash by sending a specially crafted m=image line with a zero port in response to a T.38 re-invite initiated by the Asterisk system. This vulnerability revisits the issues discovered in CVE-2019-15297 but arises from different conditions. The resulting crash occurs due to improper handling of active topology operations, where an append should be replaced correctly to prevent system instability.

References

https://downloads.asterisk.org/pub/security/AST-2021-006....
https://lists.debian.org/debian-lts-announce/2022/11/msg0...
mailing-list
https://www.debian.org/security/2022/dsa-5285
vendor-advisory

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.