CVE-2016-2316

Name of the Vulnerable Software and Affected Versions Asterisk Open Source versions 1.8.x through 11.21.1, 12.x, and 13.x through 13.7.1 Certified Asterisk versions 1.8.28, 11.6 through 11.6-cert12, and 13.1 through 13.1-cert3

Description The issue is related to the chan sip function in Asterisk Open Source and Certified Asterisk systems, where setting the timert1 value in sip.conf to a value greater than 1245 allows remote attackers to cause a denial of service (file descriptor consumption) via vectors related to large retransmit timeout values.

Recommendations For Asterisk Open Source versions 1.8.x through 11.21.1, update to version 11.21.1 or later. For Asterisk Open Source versions 12.x, update to version 13.7.1 or later. For Asterisk Open Source versions 13.x through 13.7.1, update to version 13.7.1 or later. For Certified Asterisk versions 1.8.28, update to version 11.6-cert12 or later. For Certified Asterisk versions 11.6 through 11.6-cert12, update to version 11.6-cert12 or later. For Certified Asterisk versions 13.1 through 13.1-cert3, update to version 13.1-cert3 or later. As a temporary workaround, consider setting the timert1 value in sip.conf to a value less than or equal to 1245 to prevent exploitation.