CVE-2016-9938

Name of the Vulnerable Software and Affected Versions Asterisk Open Source versions 11.x through 11.25.1 Asterisk Open Source versions 13.x through 13.13.1 Asterisk Open Source versions 14.x through 14.2.1 Certified Asterisk versions 11.x through 11.6-cert16 Certified Asterisk versions 13.x through 13.8-cert4

Description The issue is related to the chan sip channel driver, which has a liberal definition for whitespace when stripping content between a SIP header name and a colon character. This can cause problems when Asterisk is used with an authenticating SIP proxy, allowing an INVITE request into Asterisk without authentication. The result is that Asterisk can process calls from unvetted sources without any authentication.

Recommendations For Asterisk Open Source versions 11.x through 11.25.1, update to version 11.25.1 or later. For Asterisk Open Source versions 13.x through 13.13.1, update to version 13.13.1 or later. For Asterisk Open Source versions 14.x through 14.2.1, update to version 14.2.1 or later. For Certified Asterisk versions 11.x through 11.6-cert16, update to version 11.6-cert16 or later. For Certified Asterisk versions 13.x through 13.8-cert4, update to version 13.8-cert4 or later. As a temporary workaround, consider using chan pjsip instead of chan sip, or ensure that your proxy is dialog-aware to minimize the risk of exploitation.