[asterisk-announce] AST-2016-004: Long Contact URIs in REGISTER requests can crash Asterisk

Asterisk Security Team security at asterisk.org
Thu Apr 14 17:23:12 CDT 2016

               Asterisk Project Security Advisory - AST-2016-004

         Product        Asterisk                                              
         Summary        Long Contact URIs in REGISTER requests can crash      
    Nature of Advisory  Remote Crash                                          
      Susceptibility    Remote Authenticated Sessions                         
         Severity       Major                                                 
      Exploits Known    No                                                    
       Reported On      January 19, 2016                                      
       Reported By      George Joseph                                         
        Posted On       
     Last Updated On    February 10, 2016                                     
     Advisory Contact   Mark Michelson <mmichelson AT digium DOT com>         
         CVE Name       

    Description  Asterisk may crash when processing an incoming REGISTER      
                 request if that REGISTER contains a Contact header with a    
                 lengthy URI.                                                 
                 This crash will only happen for requests that pass           
                 authentication. Unauthenticated REGISTER requests will not   
                 result in a crash occurring.                                 
                 This vulnerability only affects Asterisk when using PJSIP    
                 as its SIP stack. The chan_sip module does not have this     

    Resolution  Measures have been put in place to ensure that REGISTER       
                requests with long Contact URIs are rejected instead of       
                causing a crash.                                              

                               Affected Versions       
                         Product                       Release  
                  Asterisk Open Source                  11.x    Unaffected    
                  Asterisk Open Source                  13.x    All versions  
                   Certified Asterisk                   11.6    Unaffected    
                   Certified Asterisk                   13.1    All versions  

                                  Corrected In                    
                              Product                              Release    
                        Asterisk Open Source                        13.8.1    
                         Certified Asterisk                       13.1-cert5  

                 SVN URL                              Revision                


    Asterisk Project Security Advisories are posted at                        
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    http://downloads.digium.com/pub/security/AST-2016-004.pdf and             

                                Revision History
                     Date                       Editor       Revisions Made   
    February 10, 2016                       Mark Michelson  Initial creation  

               Asterisk Project Security Advisory - AST-2016-004
              Copyright (c) 2016 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

More information about the asterisk-announce mailing list