Mark Michelson

**Name of the Vulnerable Software and Affected Versions** Asterisk Open Source versions prior to 12.5.1 **Description** The issue allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package. This is related to the res pjsip pubsub module. **Recommendations** For versions prior to 12.5.1, update to version 12.5.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the res pjsip pubsub module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Asterisk Open Source versions prior to 12.3.1 **Description** The issue allows remote attackers to cause a denial of service (deadlock) by terminating a subscription request before it is complete, which triggers a SIP transaction timeout. **Recommendations** For versions prior to 12.3.1, update to version 12.3.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Asterisk Open Source versions prior to 12.1.0 **Description** The issue allows remote authenticated users to cause a denial of service (crash) via a SUBSCRIBE request without any Accept headers, which triggers an invalid pointer dereference in the PJSIP channel driver. **Recommendations** For versions prior to 12.1.0, update to version 12.1.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Asterisk Open Source versions 1.6.0.0 through 1.6.0.24 Asterisk Open Source versions 1.6.1.0 through 1.6.1.16 Asterisk Open Source versions 1.6.2.0 through 1.6.2.4 **Description** The issue is related to the improper enforcement of remote host access controls in the Asterisk Open Source software. Specifically, when CIDR notation "/0" is used in permit= and deny= configuration rules, it causes an improper arithmetic shift. This might allow remote attackers to bypass ACL rules and access services from unauthorized hosts. **Recommendations** For Asterisk Open Source versions 1.6.0.0 through 1.6.0.24, update to version 1.6.0.25 or later. For Asterisk Open Source versions 1.6.1.0 through 1.6.1.16, update to version 1.6.1.17 or later. For Asterisk Open Source versions 1.6.2.0 through 1.6.2.4, update to version 1.6.2.5 or later.

**Name of the Vulnerable Software and Affected Versions** Asterisk Open Source versions 1.4.5 through 1.4.11 **Description** The issue allows remote attackers to cause a denial of service via an e-mail with an invalid/corrupted MIME body, which triggers a crash when the recipient listens to voicemail. This occurs when Asterisk Open Source is configured to use an IMAP voicemail storage backend. **Recommendations** For versions 1.4.5 through 1.4.11, consider disabling the IMAP voicemail storage backend as a temporary workaround until a patch is available. Restrict access to voicemail to minimize the risk of exploitation.