Asterisk Security Team
2021-Mar-04 18:19 UTC
[asterisk-users] AST-2021-006: Crash when negotiating T.38 with a zero port
Asterisk Project Security Advisory - AST-2021-006 Product Asterisk Summary Crash when negotiating T.38 with a zero port Nature of Advisory Remote Crash Susceptibility Remote Authenticated Sessions Severity Minor Exploits Known No Reported On February 20, 2021 Reported By Gregory Massel Posted On Last Updated On February 25, 2021 Advisory Contact bford AT sangoma DOT com CVE Name CVE-2019-15297 Description When Asterisk sends a re-invite initiating T.38 faxing and the endpoint responds with a m=image line and zero port, a crash will occur in Asterisk. This is a reoccurrence of AST-2019-004. Modules Affected res_pjsip_t38.c Resolution If T.38 faxing is not required then setting “t38_udptl” on the endpoint to “no” disables this functionality. This option is “no” by default. If T.38 faxing is required, then Asterisk should be upgraded to a fixed version. Affected Versions Product Release Series Asterisk Open Source 16.x 16.16.1 Asterisk Open Source 17.x 17.9.2 Asterisk Open Source 18.x 18.2.1 Certified Asterisk 16.x 16.8-cert6 Corrected In Product Release Asterisk Open Source 16.16.2, 17.9.3, 18.2.2 Certified Asterisk 16.8-cert7 Patches Patch URL Revision https://downloads.digium.com/pub/security/AST-2021-006-16.diff Asterisk 16 https://downloads.digium.com/pub/security/AST-2021-006-17.diff Asterisk 17 https://downloads.digium.com/pub/security/AST-2021-006-18.diff Asterisk 18 https://downloads.digium.com/pub/security/AST-2021-006-16.8.diff Certified Asterisk 16.8 Links https://issues.asterisk.org/jira/browse/ASTERISK-29203 https://downloads.asterisk.org/pub/security/AST-2021-006.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2021-006.pdf and https://downloads.digium.com/pub/security/AST-2021-006.html Revision History Date Editor Revisions Made February 25, 2021 Ben Ford Initial revision Asterisk Project Security Advisory - AST-2021-006 Copyright © 02/25/2021 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.