ASA-2019-00421 – Asterisk: Remote crash vulnerability with MESSAGE messages


Allele Security Alert

ASA-2019-00421

Identifier(s)

ASA-2019-00421, CVE-2019-13161, AST-2019-002

Title

Remote crash vulnerability with MESSAGE messages

Vendor(s)

Digium, Inc

Product(s)

Certified Asterisk
Asterisk Open Source

Affected version(s)

Certified Asterisk all releases from version 13.21-cert
Asterisk Open Source all releases from version 13.x
Asterisk Open Source all releases from version 15.x
Asterisk Open Source all releases from version 16.x

Fixed version(s)

Certified Asterisk version 13.21-cert4
Asterisk Open Source version 13.27.1
Asterisk Open Source version 15.7.3
Asterisk Open Source version 16.4.1

Proof of concept

Unknown

Description

A specially crafted SIP in-dialog MESSAGE message can cause Asterisk to crash.

Technical details

Unknown

Credits

Gil Richard

Reference(s)

AST-2019-002
https://downloads.asterisk.org/pub/security/AST-2019-002.html

res_pjsip_messaging: In-dialog MESSAGE with no body causes crash
https://issues.asterisk.org/jira/browse/ASTERISK-28447

11558: res_pjsip_messaging: Check for body in in-dialog message
https://gerrit.asterisk.org/c/asterisk/+/11558

CVE-2019-13161
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13161

CVE-2019-13161
https://nvd.nist.gov/vuln/detail/CVE-2019-13161

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: September 23, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.