CVE-2024-42491

Name of the Vulnerable Software and Affected Versions Asterisk versions prior to 18.24.3, 20.9.3, and 21.4.3 Certified Asterisk versions prior to 18.9-cert12 and 20.7-cert2

Description The issue is related to errors in sending SIP requests to URIs. If Asterisk attempts to send a SIP request to a URI whose host portion starts with .1 or [.1], and res resolver unbound is loaded, Asterisk will crash with a SEGV. This can allow a remote attacker to cause a denial of service and termination of the service.

Recommendations For versions prior to 18.24.3, 20.9.3, and 21.4.3 of Asterisk, upgrade to one of the following versions: 18.24.3, 20.9.3, or 21.4.3. For versions prior to 18.9-cert12 and 20.7-cert2 of Certified Asterisk, upgrade to one of the following versions: certified-18.9-cert12 or certified-20.7-cert2. As a temporary workaround, disable res resolver unbound by setting noload = res resolver unbound.so in modules.conf. Alternatively, set rewrite contact = yes on all PJSIP endpoints, but note that this may not be appropriate for all Asterisk configurations.