Andreas Steinmetz

**Name of the Vulnerable Software and Affected Versions** Asterisk Open Source versions 1.8.x through 1.8.31, 11.x through 11.13, 12.x through 12.6, and 13.x through 13.0.0 Asterisk Open Source version 1.8.28-cert2 and earlier Asterisk Open Source version 11.6-cert7 and earlier Certified Asterisk versions 1.8.28 through 1.8.28-cert2 and 11.6 through 11.6-cert7 **Description** The issue allows remote attackers to bypass ACL restrictions via a packet with a source IP that does not share the address family as the first ACL entry, affecting the VoIP channel drivers, DUNDi, and Asterisk Manager Interface (AMI). **Recommendations** For Asterisk Open Source versions 1.8.x through 1.8.31, update to version 1.8.32.1 or later. For Asterisk Open Source versions 11.x through 11.13, update to version 11.14.1 or later. For Asterisk Open Source versions 12.x through 12.6, update to version 12.7.1 or later. For Asterisk Open Source versions 13.x through 13.0.0, update to version 13.0.1 or later. For Certified Asterisk versions 1.8.28 through 1.8.28-cert2, update to version 1.8.28-cert3 or later. For Certified Asterisk versions 11.6 through 11.6-cert7, update to version 11.6-cert8 or later.