PT-2021-17165 · Asterisk+2 · Asterisk+2
Diogo Hartmann
·
Published
2021-02-18
·
Updated
2025-02-13
·
CVE-2021-26906
CVSS v3.1
5.9
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions:
Asterisk versions 13.38.1 and earlier, 14.x, 15.x, 16.x through 16.16.0, 17.x through 17.9.1, and 18.x through 18.2.0
Certified Asterisk versions 16.8-cert5 and earlier
Description:
An issue in res pjsip session.c allows a remote server to potentially crash Asterisk by sending specific SIP responses that cause an SDP negotiation failure in PJSIP.
Recommendations:
For Asterisk versions 13.38.1 and earlier, 14.x, 15.x, 16.x through 16.16.0, 17.x through 17.9.1, and 18.x through 18.2.0, update to a version that contains a fix for this issue.
For Certified Asterisk versions 16.8-cert5 and earlier, update to a version that contains a fix for this issue.
As a temporary workaround, consider restricting access to the PJSIP module to minimize the risk of exploitation.
Fix
Improper Resource Release
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Asterisk
Pjsip