CVE-2016-9938
Published: 12 December 2016
An issue was discovered in Asterisk Open Source 11.x before 11.25.1, 13.x before 13.13.1, and 14.x before 14.2.1 and Certified Asterisk 11.x before 11.6-cert16 and 13.x before 13.8-cert4. The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace. This means that headers such as Contact\x01: will be seen as a valid Contact header. This mostly does not pose a problem until Asterisk is placed in tandem with an authenticating SIP proxy. In such a case, a crafty combination of valid and invalid To headers can cause a proxy to allow an INVITE request into Asterisk without authentication since it believes the request is an in-dialog request. However, because of the bug described above, the request will look like an out-of-dialog request to Asterisk. Asterisk will then process the request as a new call. The result is that Asterisk can process calls from unvetted sources without any authentication. If you do not use a proxy for authentication, then this issue does not affect you. If your proxy is dialog-aware (meaning that the proxy keeps track of what dialogs are currently valid), then this issue does not affect you. If you use chan_pjsip instead of chan_sip, then this issue does not affect you.
Priority
Status
Package | Release | Status |
---|---|---|
asterisk Launchpad, Ubuntu, Debian |
jammy |
Not vulnerable
(1:13.13.1~dfsg-1)
|
hirsute |
Not vulnerable
(1:13.13.1~dfsg-1)
|
|
xenial |
Needed
|
|
precise |
Ignored
(end of life)
|
|
kinetic |
Not vulnerable
(1:13.13.1~dfsg-1)
|
|
lunar |
Not vulnerable
(1:13.13.1~dfsg-1)
|
|
artful |
Ignored
(end of life)
|
|
bionic |
Not vulnerable
(1:13.13.1~dfsg-1)
|
|
cosmic |
Not vulnerable
(1:13.13.1~dfsg-1)
|
|
disco |
Not vulnerable
(1:13.13.1~dfsg-1)
|
|
eoan |
Not vulnerable
(1:13.13.1~dfsg-1)
|
|
focal |
Not vulnerable
(1:13.13.1~dfsg-1)
|
|
groovy |
Not vulnerable
(1:13.13.1~dfsg-1)
|
|
impish |
Not vulnerable
(1:13.13.1~dfsg-1)
|
|
trusty |
Does not exist
(trusty was needed)
|
|
upstream |
Released
(1:13.13.1~dfsg-1)
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Ignored
(end of life)
|
|
mantic |
Not vulnerable
(1:13.13.1~dfsg-1)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.3 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | Low |
Availability impact | None |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |