CVE-2019-18351

Name of the Vulnerable Software and Affected Versions Sangoma Asterisk versions 13.29.1 and earlier, 16.6.1 and earlier, 17.0.0 and earlier Certified Asterisk versions 13.21-cert4 and earlier

Description An issue was discovered in channels/chan sip.c that allows a SIP request to change a SIP peer's IP address without requiring a REGISTER or authentication details such as passwords. The only required information is the peer's name, and calls can be hijacked as a result. This issue is only exploitable when the nat option is set to the default or auto force rport.

Recommendations For Sangoma Asterisk versions 13.29.1 and earlier, 16.6.1 and earlier, 17.0.0 and earlier, consider updating to a version where this issue is fixed. For Certified Asterisk versions 13.21-cert4 and earlier, consider updating to a version where this issue is fixed. As a temporary workaround, consider changing the nat option from the default or auto force rport to a different setting to minimize the risk of exploitation.