CVE-2016-9938

NameCVE-2016-9938
DescriptionAn issue was discovered in Asterisk Open Source 11.x before 11.25.1, 13.x before 13.13.1, and 14.x before 14.2.1 and Certified Asterisk 11.x before 11.6-cert16 and 13.x before 13.8-cert4. The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace. This means that headers such as Contact\x01: will be seen as a valid Contact header. This mostly does not pose a problem until Asterisk is placed in tandem with an authenticating SIP proxy. In such a case, a crafty combination of valid and invalid To headers can cause a proxy to allow an INVITE request into Asterisk without authentication since it believes the request is an in-dialog request. However, because of the bug described above, the request will look like an out-of-dialog request to Asterisk. Asterisk will then process the request as a new call. The result is that Asterisk can process calls from unvetted sources without any authentication. If you do not use a proxy for authentication, then this issue does not affect you. If your proxy is dialog-aware (meaning that the proxy keeps track of what dialogs are currently valid), then this issue does not affect you. If you use chan_pjsip instead of chan_sip, then this issue does not affect you.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs847668

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
asterisk (PTS)wheezy1:1.8.13.1~dfsg1-3+deb7u3vulnerable
wheezy (security)1:1.8.13.1~dfsg1-3+deb7u6vulnerable
jessie1:11.13.1~dfsg-2+deb8u2fixed
jessie (security)1:11.13.1~dfsg-2+deb8u1vulnerable
buster, sid, stretch1:13.14.1~dfsg-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
asterisksource(unstable)1:13.13.1~dfsg-1medium847668
asterisksourcejessie1:11.13.1~dfsg-2+deb8u2medium

Notes

[wheezy] - asterisk <no-dsa> (Minor issue)
http://downloads.asterisk.org/pub/security/AST-2016-009.html
Only applicable if a proxy is in use.

Search for package or bug name: Reporting problems