CVE-2019-18976

Name of the Vulnerable Software and Affected Versions Asterisk versions prior to 13.21-x Certified Asterisk versions prior to 13.21-x

Description The issue is related to a null pointer dereference in the res pjsip t38.c component of Asterisk and Certified Asterisk systems. This can be exploited by a remote attacker to cause a denial of service. The vulnerability is triggered when the system receives a re-invite for T.38 faxing with a port of 0 and no c line in the SDP.

Recommendations For Asterisk versions prior to 13.21-x, update to version 13.21-x or later to resolve the issue. For Certified Asterisk versions prior to 13.21-x, update to version 13.21-x or later to resolve the issue. As a temporary workaround, consider restricting access to the res pjsip t38.c component until a patch is available.