Ross Beer

**Name of the Vulnerable Software and Affected Versions** Asterisk versions 13.18.4 and older Asterisk versions 14.7.4 and older Asterisk versions 15.1.4 and older Asterisk versions 13.18-cert1 and older **Description** An issue was discovered where certain SIP messages can cause Asterisk to crash if the contact header is not present and the PJSIP channel driver is used. The severity of this issue is somewhat mitigated if authentication is enabled, as a user would have to be authorized first before reaching the point where the crash occurs. **Recommendations** For Asterisk versions 13.18.4 and older, consider disabling the PJSIP channel driver until a patch is available. For Asterisk versions 14.7.4 and older, consider disabling the PJSIP channel driver until a patch is available. For Asterisk versions 15.1.4 and older, consider disabling the PJSIP channel driver until a patch is available. For Asterisk versions 13.18-cert1 and older, consider disabling the PJSIP channel driver until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Asterisk versions 13.x through 13.17.0 Asterisk versions 14.x through 14.6.0 **Description** The issue arises from a carefully crafted tel URI in a From, To, or Contact header, which could cause Asterisk to crash. **Recommendations** For Asterisk versions 13.x through 13.17.0, update to version 13.17.1 or later. For Asterisk versions 14.x through 14.6.0, update to version 14.6.1 or later.