ASA-2019-00115 – Asterisk: Remote crash vulnerability with SDP protocol violation

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00115

Identifier(s)

ASA-2019-00115, CVE-2019-7251, AST-2019-001

Title

Remote crash vulnerability with SDP protocol violation

Vendor(s)

Digium, Inc

Product(s)

Asterisk Open Source

Affected version(s)

Asterisk Open Source 15.x all releases
Asterisk Open Source 16.x all releases

Fixed version(s)

Asterisk Open Source 15.7.2
Asterisk Open Source 16.2.1

Proof of concept

Unknown

Description

When Asterisk makes an outgoing call, a very specific SDP protocol violation by the remote party can cause Asterisk to crash.

Technical details

Unknown

Credits

Sotiris Ganouris

Reference(s)

AST-2019-001: Remote crash vulnerability with SDP protocol violation
https://seclists.org/bugtraq/2019/Feb/50

Asterisk Project Security Advisory – AST-2019-001
https://downloads.asterisk.org/pub/security/AST-2019-001.pdf

Asterisk Project Security Advisory – AST-2019-001
https://downloads.asterisk.org/pub/security/AST-2019-001.html

AST-2019-001-15.diff
http://downloads.asterisk.org/pub/security/AST-2019-001-15.diff

AST-2019-001-16.diff
http://downloads.asterisk.org/pub/security/AST-2019-001-16.diff

Asterisk segfault when rtp negotiation is wrong or fails
https://issues.asterisk.org/jira/browse/ASTERISK-28260

CVE-2019-7251
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7251

CVE-2019-7251
https://nvd.nist.gov/vuln/detail/CVE-2019-7251

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: March 1, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.