Asterisk Project Security Advisory - AST-2020-003

Product

Asterisk

Summary

Remote crash in res_pjsip_diversion

Nature of Advisory

Denial of service

Susceptibility

Remote authenticated sessions

Severity

Moderate

Exploits Known

Yes

Reported On

December 22, 2020

Reported By

Torrey Searle

Posted On

December 22, 2020

Last Updated On

December 23, 2020

Advisory Contact

kharwell AT sangoma DOT com

CVE Name

CVE-2020-35652



Description

A crash can occur in Asterisk when a SIP message is received that has a History-Info header, which contains a tel-uri.


Note, the remote client must be authenticated, or Asterisk must be configured for anonymous calling in order for this problem to manifest.

Modules Affected

res_pjsip_diversion.c


Resolution

Asterisk now ensures that if it receives a SIP message with a History-Info header that contains a tel-uri the redirecting cause is simply set to unknown.


Affected Versions

Product

Release Series


Asterisk Open Source

13.X

13.38.0

Asterisk Open Source

16.X

16.15.0

Asterisk Open Source

17.X

17.9.0

Asterisk Open Source

18.X

18.1.0


Corrected In

Product

Release

Asterisk Open Source

13.38.1, 16.15.1, 17.9.1, 18.1.1




Patches

SVN URL

Revision

https://downloads.asterisk.org/pub/security/AST-2020-003-13.diff

Asterisk 13

https://downloads.asterisk.org/pub/security/AST-2020-003-16.diff

Asterisk 16

https://downloads.asterisk.org/pub/security/AST-2020-003-17.diff

Asterisk 17

https://downloads.asterisk.org/pub/security/AST-2020-003-18.diff

Asterisk 18



Links

https://issues.asterisk.org/jira/browse/ASTERISK-29219


Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2020-003.pdf and http://downloads.digium.com/pub/security/AST-2020-003.html


Revision History

Date

Editor

Revisions Made

December 22, 2020

Kevin Harwell

Initial revision

December 23. 2020

Kevin Harwell

Added CVE


Asterisk Project Security Advisory - AST-2020-003
Copyright © 2020 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.