CVE-2016-9937

Name of the Vulnerable Software and Affected Versions Asterisk Open Source versions 13.12.x through 13.13.0 Asterisk Open Source versions 14.x through 14.2.0

Description An issue was discovered where the code responsible for parsing SDP offers or answers with the Opus codec and format parameters separated by spaces will recursively call itself until it crashes. This occurs because the code does not properly handle spaces separating the parameters. The crash can happen without the endpoint having Opus configured in Asterisk and without the endpoint being authenticated. If guest is enabled for chan sip or anonymous in chan pjsip, an SDP offer or answer is still processed, leading to the crash.

Recommendations For Asterisk Open Source versions 13.12.x through 13.13.0, update to version 13.13.1 or later. For Asterisk Open Source versions 14.x through 14.2.0, update to version 14.2.1 or later.