Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.0802
AST-2021-006 : Asterisk Security Update
5 March 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Asterisk
Publisher: Asterisk
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-15297
Reference: ESB-2019.3388
Original Bulletin:
http://downloads.asterisk.org/pub/security/AST-2021-006.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Asterisk Project Security Advisory - AST-2021-006
Product Asterisk
Summary Crash when negotiating T.38 with a zero port
Nature of Advisory Remote Crash
Susceptibility Remote Authenticated Sessions
Severity Minor
Exploits Known No
Reported On February 20, 2021
Reported By Gregory Massel
Posted On March 4, 2021
Last Updated On March 4, 2021
Advisory Contact bford AT sangoma DOT com
CVE Name CVE-2019-15297
Description When Asterisk sends a re-invite initiating T.38 faxing and the endpoint
responds with a m=image line and zero port, a crash will occur in Asterisk.
This is a reoccurrence of AST-2019-004.
Modules Affected res_pjsip_t38.c
Resolution If T.38 faxing is not required then setting t38_udptl on the endpoint to
no disables this functionality. This option is no by default.
If T.38 faxing is required, then Asterisk should be upgraded to a fixed
version.
Affected Versions
Product Release
Series
Asterisk Open Source 16.x 16.16.1
Asterisk Open Source 17.x 17.9.2
Asterisk Open Source 18.x 18.2.1
Certified Asterisk 16.x 16.8-cert6
Corrected In
Product Release
Asterisk Open Source 16.16.2, 17.9.3, 18.2.2
Certified Asterisk 16.8-cert7
Patches
Patch URL Revision
https://downloads.digium.com/pub/security/ Asterisk 16
AST-2021-006 -16.diff
https://downloads.digium.com/pub/security/ Asterisk 17
AST-2021-006 -17.diff
https://downloads.digium.com/pub/security/ Asterisk 18
AST-2021-006 -18.diff
https://downloads.digium.com/pub/security/ Certified Asterisk 16.8
AST-2021-006 -16.8.diff
Links
https://issues.asterisk.org/jira/browse/ASTERISK-29203
https://downloads.asterisk.org/pub/security/ AST-2021-006 .html
Asterisk Project Security Advisories are posted at http://www.asterisk.org/
security
This document may be superseded by later versions; if so, the latest version
will be posted at https://downloads.digium.com/pub/security/ AST-2021-006 .pdf
and https://downloads.digium.com/pub/security/ AST-2021-006 .html
Revision History
Date Editor Revisions Made
February 25, 2021 Ben Ford Initial revision
March 4, 2021 Ben Ford Added posted on date
Asterisk Project Security Advisory - AST-2021-006
Copyright (C) 02/25/2021 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYEGC4uNLKJtyKPYoAQhEWA/8Cr/CerStFBTXbs4oviWjfy4Me8RZUdwq
MmM2FzZW9agKN/PDfcTE/KpU+aSucZVpDFPZu7ulqaxCci0S3yeHH9fZaZv6uwYn
iTiQu5co6Bo0KgXAAW8tilqB3zqD4TBrO2QA+XZLu+hJ6CULv8oDntA2qXbUl9j4
8voSmgczV0zj8rMTRLoCkYAwkSlDOazZyzPtxkB7yUWtFstnjZ7Oeyi0bxzQ6zPU
+YWDgLXdg+gRwtTauV9nNBhmidMwK70QExUy0aVLIhNPMI2Tp6RGx5OmdA1nemp7
loqiX+FxbezFeU1F+O2OXC6ndbOs7bXgiyEH9FHicKNRP//+Fh0xnFmm43NWzlFJ
XP3hzJqeAIx9gUzw9VD6x0vDN0R/rvH0JPWjDVkoEb/qMPaaUqQAmYQvEFT9Ftn6
kMrfVUQE22asagJxcp8g2LokosAqWfLWkLNofyDDZQcc/WafZ5vXNfmE6iZd6l21
pjf9If+rIz3hx4l9LVVAszJnsbz82LKf3ce9ve9FQkr59WAbms4C0kELkQOjqEc2
7tLQ2qn7dL9RfFGJcrvkxJbjLfqmlpvmNyUAQY5o4Qbtuc7RpdKLrTrKqxfaa/K2
8kfjc4OEUIvnhNtHww11a2aUrylOai85Tn7OiciS6b7b76JAXEYPRn9r3bG+3txD
921OT/tRhaI=
=DoRi
-----END PGP SIGNATURE-----