[asterisk-dev] AST-2021-006: Crash when negotiating T.38 with a zero port

Asterisk Security Team security at asterisk.org
Thu Mar 4 12:19:58 CST 2021

               Asterisk Project Security Advisory - AST-2021-006

         Product        Asterisk                                              
         Summary        Crash when negotiating T.38 with a zero port          
    Nature of Advisory  Remote Crash                                          
      Susceptibility    Remote Authenticated Sessions                         
         Severity       Minor                                                 
      Exploits Known    No                                                    
       Reported On      February 20, 2021                                     
       Reported By      Gregory Massel                                        
        Posted On       
     Last Updated On    February 25, 2021                                     
     Advisory Contact   bford AT sangoma DOT com                              
         CVE Name       CVE-2019-15297                                        

      Description     When Asterisk sends a re-invite initiating T.38 faxing  
                      and the endpoint responds with a m=image line and zero  
                      port, a crash will occur in Asterisk. This is a         
                      reoccurrence of AST-2019-004.                           
    Modules Affected  res_pjsip_t38.c                                         

    Resolution  If T.38 faxing is not required then setting “t38_udptl” on    
                the endpoint to “no” disables this functionality. This        
                option is “no” by default.                                    
                If T.38 faxing is required, then Asterisk should be upgraded  
                to a fixed version.                                           

                               Affected Versions         
                          Product                        Release  
                   Asterisk Open Source                   16.x    16.16.1     
                   Asterisk Open Source                   17.x    17.9.2      
                   Asterisk Open Source                   18.x    18.2.1      
                    Certified Asterisk                    16.x    16.8-cert6  

                                  Corrected In
          Product                              Release                        
    Asterisk Open Source               16.16.2, 17.9.3, 18.2.2                
     Certified Asterisk                       16.8-cert7                      

                              Patch URL                             Revision  
   https://downloads.digium.com/pub/security/AST-2021-006-16.diff   Asterisk  
   https://downloads.digium.com/pub/security/AST-2021-006-17.diff   Asterisk  
   https://downloads.digium.com/pub/security/AST-2021-006-18.diff   Asterisk  
   https://downloads.digium.com/pub/security/AST-2021-006-16.8.diff Certified 

    Links  https://issues.asterisk.org/jira/browse/ASTERISK-29203             

    Asterisk Project Security Advisories are posted at                        
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    https://downloads.digium.com/pub/security/AST-2021-006.pdf and            

                                Revision History  
                        Date                       Editor    Revisions Made   
    February 25, 2021                             Ben Ford  Initial revision  

               Asterisk Project Security Advisory - AST-2021-006
            Copyright © 02/25/2021 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

More information about the asterisk-dev mailing list