Candidate: CVE-2016-9938
PublicDate: 2016-12-12 21:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9938
 http://downloads.asterisk.org/pub/security/AST-2016-009.html
 https://issues.asterisk.org/jira/browse/ASTERISK-26433
Description:
 An issue was discovered in Asterisk Open Source 11.x before 11.25.1, 13.x
 before 13.13.1, and 14.x before 14.2.1 and Certified Asterisk 11.x before
 11.6-cert16 and 13.x before 13.8-cert4. The chan_sip channel driver has a
 liberal definition for whitespace when attempting to strip the content
 between a SIP header name and a colon character. Rather than following RFC
 3261 and stripping only spaces and horizontal tabs, Asterisk treats any
 non-printable ASCII character as if it were whitespace. This means that
 headers such as Contact\x01: will be seen as a valid Contact header. This
 mostly does not pose a problem until Asterisk is placed in tandem with an
 authenticating SIP proxy. In such a case, a crafty combination of valid and
 invalid To headers can cause a proxy to allow an INVITE request into
 Asterisk without authentication since it believes the request is an
 in-dialog request. However, because of the bug described above, the request
 will look like an out-of-dialog request to Asterisk. Asterisk will then
 process the request as a new call. The result is that Asterisk can process
 calls from unvetted sources without any authentication. If you do not use a
 proxy for authentication, then this issue does not affect you. If your
 proxy is dialog-aware (meaning that the proxy keeps track of what dialogs
 are currently valid), then this issue does not affect you. If you use
 chan_pjsip instead of chan_sip, then this issue does not affect you.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847668
Priority: low
Discovered-by: Walter Doekes
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N [5.3 MEDIUM]

Patches_asterisk:
upstream_asterisk: released (1:13.13.1~dfsg-1)
precise_asterisk: ignored (reached end-of-life)
precise/esm_asterisk: DNE (precise was needed)
trusty_asterisk: ignored (reached end-of-life)
trusty/esm_asterisk: DNE (trusty was needed)
vivid/stable-phone-overlay_asterisk: DNE
vivid/ubuntu-core_asterisk: DNE
xenial_asterisk: ignored (end of standard support, was needed)
yakkety_asterisk: ignored (reached end-of-life)
zesty_asterisk: ignored (reached end-of-life)
artful_asterisk: ignored (reached end-of-life)
bionic_asterisk: not-affected (1:13.13.1~dfsg-1)
cosmic_asterisk: not-affected (1:13.13.1~dfsg-1)
disco_asterisk: not-affected (1:13.13.1~dfsg-1)
eoan_asterisk: not-affected (1:13.13.1~dfsg-1)
focal_asterisk: not-affected (1:13.13.1~dfsg-1)
groovy_asterisk: not-affected (1:13.13.1~dfsg-1)
hirsute_asterisk: not-affected (1:13.13.1~dfsg-1)
impish_asterisk: not-affected (1:13.13.1~dfsg-1)
jammy_asterisk: not-affected (1:13.13.1~dfsg-1)
devel_asterisk: not-affected (1:13.13.1~dfsg-1)