[asterisk-announce] AST-2021-009: pjproject/pjsip: crash when SSL socket destroyed during handshake

Asterisk Security Team security at asterisk.org
Thu Jul 22 17:53:26 CDT 2021

               Asterisk Project Security Advisory - AST-2021-009

         Product        Asterisk                                              
         Summary        pjproject/pjsip: crash when SSL socket destroyed      
                        during handshake                                      
    Nature of Advisory  Denial of service                                     
      Susceptibility    Remote unauthenticated sessions                       
         Severity       Major                                                 
      Exploits Known    Yes                                                   
       Reported On      May 5, 2021                                           
       Reported By      Andrew Yager                                          
        Posted On       
     Last Updated On    July 6, 2021                                          
     Advisory Contact   kharwell AT sangoma DOT com                           
         CVE Name       CVE-2021-32686                                        

      Description     Depending on the timing, it’s possible for Asterisk to  
                      crash when using a TLS connection if the underlying     
                      socket parent/listener gets destroyed during the        
    Modules Affected  bundled pjproject                                       

    Resolution  If you use “with-pjproject-bundled” then upgrade to, or       
                install one of, the versions of Asterisk listed below.        
                Otherwise install the appropriate version of pjproject that   
                contains the patch.                                           

                               Affected Versions
                Product              Release Series  
         Asterisk Open Source             13.x       All versions             
         Asterisk Open Source             16.x       All versions             
         Asterisk Open Source             17.x       All versions             
         Asterisk Open Source             18.x       All versions             
          Certified Asterisk              16.x       All versions             

                                  Corrected In
               Product                              Release                   
        Asterisk Open Source           13.38.3, 16.19.1, 17.9.4, 18.5.1       
         Certified Asterisk                       16.8-cert10                 

                              Patch URL                             Revision  
   https://downloads.digium.com/pub/security/AST-2021-009-13.diff   Asterisk  
   https://downloads.digium.com/pub/security/AST-2021-009-16.diff   Asterisk  
   https://downloads.digium.com/pub/security/AST-2021-009-17.diff   Asterisk  
   https://downloads.digium.com/pub/security/AST-2021-009-18.diff   Asterisk  
   https://downloads.digium.com/pub/security/AST-2021-009-16.8.diff Certified 

Links https://issues.asterisk.org/jira/browse/ASTERISK-29415                     

    Asterisk Project Security Advisories are posted at                        
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    https://downloads.digium.com/pub/security/AST-2021-009.pdf and            

                                Revision History
          Date                  Editor                 Revisions Made         
    June 14, 2021      Kevin Harwell             Initial revision             

               Asterisk Project Security Advisory - AST-2021-009
               Copyright © 2021 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

More information about the asterisk-announce mailing list