Vulnerability identifier: #VU50966

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-26717

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Asterisk Open Source
Server applications / Conferencing, Collaboration and VoIP solutions

Vendor: Digium (Linux Support Services)

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

An issue was discovered in Sangoma Asterisk 16.x before 16.16.1, 17.x before 17.9.2, and 18.x before 18.2.1 and Certified Asterisk before 16.8-cert6. When re-negotiating for T.38, if the initial remote response was delayed just enough, Asterisk would send both audio and T.38 in the SDP. If this happened, and the remote responded with a declined T.38 stream, then Asterisk would crash.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Asterisk Open Source: 1.4.16.1 - 1.4.16.2, 1.6.2.16.1 - 1.6.2.16.2, 1.8.16.0, 11.16.0, 13.16.0, 16.0.0 - 16.6.2

---

External links
http://packetstormsecurity.com/files/161471/Asterisk-Project-Security-Advisory-AST-2021-002.html
http://seclists.org/fulldisclosure/2021/Feb/58
http://downloads.asterisk.org/pub/security/
http://downloads.asterisk.org/pub/security/AST-2021-002.html
http://issues.asterisk.org/jira/browse/ASTERISK-29203

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.