Jan Juergens

**Name of the Vulnerable Software and Affected Versions** Asterisk Open Source versions 1.8.x through 1.8.23 Asterisk Open Source versions 10.x through 10.12.3 Asterisk Open Source versions 11.x through 11.6.0 Asterisk with Digiumphones versions 10.x-digiumphones through 10.12.3-digiumphones Certified Asterisk versions 1.8.x through 1.8.15-cert3 Certified Asterisk versions 11.x through 11.2-cert2 **Description** The issue is caused by a buffer overflow in the unpacksms16 function in apps/app sms.c, which allows remote attackers to cause a denial of service (daemon crash) via a 16-bit SMS message with an odd number of bytes, triggering an infinite loop. **Recommendations** For Asterisk Open Source versions 1.8.x through 1.8.23, update to version 1.8.24.1 or later. For Asterisk Open Source versions 10.x through 10.12.3, update to version 10.12.4 or later. For Asterisk Open Source versions 11.x through 11.6.0, update to version 11.6.1 or later. For Asterisk with Digiumphones versions 10.x-digiumphones through 10.12.3-digiumphones, update to version 10.12.4-digiumphones or later. For Certified Asterisk versions 1.8.x through 1.8.15-cert3, update to version 1.8.15-cert4 or later. For Certified Asterisk versions 11.x through 11.2-cert2, update to version 11.2-cert3 or later.