Debian 10225 Published by

An asterisk security update has been released for Debian GNU/Linux 9 LTS to address multiple security issues.



DLA 2969-1: asterisk security update



- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2969-1 debian-lts@lists.debian.org
  https://www.debian.org/lts/security/ Abhijith PA
April 03, 2022   https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : asterisk
Version : 1:13.14.1~dfsg-2+deb9u6
CVE ID : CVE-2019-13161 CVE-2019-18610 CVE-2019-18790 CVE-2019-18976
CVE-2020-28242

Multiple security issues were discovered in asterisk, an Open Source
Private Branch Exchange (PBX).

CVE-2019-13161

A pointer dereference in chan_sip while handling SDP negotiation
allows an attacker to crash Asterisk

CVE-2019-18610

A remote authenticated Asterisk Manager Interface (AMI) user
without system authorization could use a specially crafted
Originate AMI request to execute arbitrary system commands

CVE-2019-18790

A SIP request can be sent to Asterisk that can change a SIP peer's
IP address. A REGISTER does not need to occur, and calls can be
hijacked as a result. The only thing that needs to be known is the
peer's name; authentication details such as passwords do not need
to be known. This vulnerability is only exploitable when the nat
option is set to the default, or auto_force_rport.

CVE-2019-18976

A NULL pointer dereference and crash will occur when asterisk
receives a re-invite initiating T.38 faxing and has a port of 0
and no c line in the SDP

CVE-2020-28242

If Asterisk is challenged on an outbound INVITE and the nonce is
changed in each response, Asterisk will continually send INVITEs
in a loop. This causes Asterisk to consume more and more memory
since the transaction will never terminate (even if the call is
hung up), ultimately leading to a restart or shutdown of Asterisk

For Debian 9 stretch, these problems have been fixed in version
1:13.14.1~dfsg-2+deb9u6.

We recommend that you upgrade your asterisk packages.

For the detailed security status of asterisk please refer to
its security tracker page at:
  https://security-tracker.debian.org/tracker/asterisk

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at:   https://wiki.debian.org/LTS