An issue was discovered in Asterisk Open Source through 13.27.0, 14.x and 15.x through 15.7.2, and 16.x through 16.4.0, and Certified Asterisk through 13.21-cert3. A pointer dereference in chan_sip while handling SDP negotiation allows an attacker to crash Asterisk when handling an SDP answer to an outgoing T.38 re-invite. To exploit this vulnerability an attacker must cause the chan_sip module to send a T.38 re-invite request to them. Upon receipt, the attacker must send an SDP answer containing both a T.38 UDPTL stream and another media stream containing only a codec (which is not permitted according to the chan_sip configuration).

The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-2969 advisory.

  - An issue was discovered in Asterisk Open Source through 13.27.0, 14.x and 15.x through 15.7.2, and 16.x     through 16.4.0, and Certified Asterisk through 13.21-cert3. A pointer dereference in chan_sip while     handling SDP negotiation allows an attacker to crash Asterisk when handling an SDP answer to an outgoing     T.38 re-invite. To exploit this vulnerability an attacker must cause the chan_sip module to send a T.38     re-invite request to them. Upon receipt, the attacker must send an SDP answer containing both a T.38 UDPTL     stream and another media stream containing only a codec (which is not permitted according to the chan_sip     configuration). (CVE-2019-13161)

  - An issue was discovered in manager.c in Sangoma Asterisk through 13.x, 16.x, 17.x and Certified Asterisk     13.21 through 13.21-cert4. A remote authenticated Asterisk Manager Interface (AMI) user without system     authorization could use a specially crafted Originate AMI request to execute arbitrary system commands.
    (CVE-2019-18610)

  - An issue was discovered in channels/chan_sip.c in Sangoma Asterisk 13.x before 13.29.2, 16.x before     16.6.2, and 17.x before 17.0.1, and Certified Asterisk 13.21 before cert5. A SIP request can be sent to     Asterisk that can change a SIP peer's IP address. A REGISTER does not need to occur, and calls can be     hijacked as a result. The only thing that needs to be known is the peer's name; authentication details     such as passwords do not need to be known. This vulnerability is only exploitable when the nat option is     set to the default, or auto_force_rport. (CVE-2019-18790)

  - An issue was discovered in res_pjsip_t38.c in Sangoma Asterisk through 13.x and Certified Asterisk through     13.21-x. If it receives a re-invite initiating T.38 faxing and has a port of 0 and no c line in the SDP, a     NULL pointer dereference and crash will occur. This is different from CVE-2019-18940. (CVE-2019-18976)

  - An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before     17.8.1, and 18.x before 18.0.1 and Certified Asterisk before 16.8-cert5. If Asterisk is challenged on an     outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a     loop. This causes Asterisk to consume more and more memory since the transaction will never terminate     (even if the call is hung up), ultimately leading to a restart or shutdown of Asterisk. Outbound     authentication must be configured on the endpoint for this to occur. (CVE-2020-28242)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Asterisk project reports :

When T.38 faxing is done in Asterisk a T.38 reinvite may be sent to an endpoint to switch it to T.38. If the endpoint responds with an improperly formatted SDP answer including both a T.38 UDPTL stream and an audio or video stream containing only codecs not allowed on the SIP peer or user a crash will occur. The code incorrectly assumes that there will be at least one common codec when T.38 is also in the SDP answer.

ID	Name	Product	Family	Severity
159473	Debian DLA-2969-1 : asterisk - LTS security update	Nessus	Debian Local Security Checks	high
126668	FreeBSD : asterisk -- Remote Crash Vulnerability in chan_sip channel driver (e9d2e981-a46d-11e9-bed9-001999f8d30b)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2019-13161

medium

Tenable Plugins

high

medium