Certified Asterisk

Do you want an email whenever new security vulnerabilities are reported in Certified Asterisk?

By the Year

In 2024 there have been 0 vulnerabilities in Certified Asterisk . Certified Asterisk did not have any published security vulnerabilities last year.

Year	Vulnerabilities	Average Score
2024	0	0.00
2023	0	0.00
2022	3	8.47
2021	1	9.80
2020	1	6.50
2019	0	0.00
2018	0	0.00

It may take a day or so for new Certified Asterisk vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Certified Asterisk Security Vulnerabilities

res_pjsip_t38 in Sangoma Asterisk 16.x before 16.16.2, 17.x before 17.9.3, and 18.x before 18.2.2, and Certified Asterisk before 16.8-cert7

CVE-2021-46837 6.5 - Medium - August 30, 2022

res_pjsip_t38 in Sangoma Asterisk 16.x before 16.16.2, 17.x before 17.9.3, and 18.x before 18.2.2, and Certified Asterisk before 16.8-cert7, allows an attacker to trigger a crash by sending an m=image line and zero port in a response to a T.38 re-invite initiated by Asterisk. This is a re-occurrence of the CVE-2019-15297 symptoms but not for exactly the same reason. The crash occurs because there is an append operation relative to the active topology, but this should instead be a replace operation.

NULL Pointer Dereference

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP

CVE-2022-23608 9.8 - Critical - February 22, 2022

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions up to and including 2.11.1 when in a dialog set (or forking) scenario, a hash key shared by multiple UAC dialogs can potentially be prematurely freed when one of the dialogs is destroyed . The issue may cause a dialog set to be registered in the hash table multiple times (with different hash keys) leading to undefined behavior such as dialog list collision which eventually leading to endless loop. A patch is available in commit db3235953baa56d2fb0e276ca510fefca751643f which will be included in the next release. There are no known workarounds for this issue.

Dangling pointer

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP

CVE-2022-21723 9.1 - Critical - January 27, 2022

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions 2.11.1 and prior, parsing an incoming SIP message that contains a malformed multipart can potentially cause out-of-bound read access. This issue affects all PJSIP users that accept SIP multipart. The patch is available as commit in the `master` branch. There are no known workarounds.

Out-of-bounds Read

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP

CVE-2021-37706 9.8 - Critical - December 22, 2021

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all users that use STUN. A malicious actor located within the victims network may forge and send a specially crafted UDP (STUN) message that could remotely execute arbitrary code on the victims machine. Users are advised to upgrade as soon as possible. There are no known workarounds.

Integer underflow

An issue was discovered in Asterisk Open Source 13.x before 13.37.1

CVE-2020-28242 6.5 - Medium - November 06, 2020

An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1 and Certified Asterisk before 16.8-cert5. If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate (even if the call is hung up), ultimately leading to a restart or shutdown of Asterisk. Outbound authentication must be configured on the endpoint for this to occur.

Stack Exhaustion

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Debian Linux or by Asterisk? Click the Watch button to subscribe.

Asterisk
Vendor

Certified Asterisk
Product

Certified Asterisk

By the Year

Recent Certified Asterisk Security Vulnerabilities

res_pjsip_t38 in Sangoma Asterisk 16.x before 16.16.2, 17.x before 17.9.3, and 18.x before 18.2.2, and Certified Asterisk before 16.8-cert7 CVE-2021-46837 6.5 - Medium - August 30, 2022

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP CVE-2022-23608 9.8 - Critical - February 22, 2022

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP CVE-2022-21723 9.1 - Critical - January 27, 2022

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP CVE-2021-37706 9.8 - Critical - December 22, 2021

An issue was discovered in Asterisk Open Source 13.x before 13.37.1 CVE-2020-28242 6.5 - Medium - November 06, 2020