Asterisk Project Security Advisory - AST-2021-009

Product

Asterisk

Summary

pjproject/pjsip: crash when SSL socket destroyed during handshake

Nature of Advisory

Denial of service

Susceptibility

Remote unauthenticated sessions

Severity

Major

Exploits Known

Yes

Reported On

May 5, 2021

Reported By

Andrew Yager

Posted On


Last Updated On

July 6, 2021

Advisory Contact

kharwell AT sangoma DOT com

CVE Name

CVE-2021-32686



Description

Depending on the timing, it’s possible for Asterisk to crash when using a TLS connection if the underlying socket parent/listener gets destroyed during the handshake.

Modules Affected

bundled pjproject


Resolution

If you use “with-pjproject-bundled” then upgrade to, or install one of, the versions of Asterisk listed below. Otherwise install the appropriate version of pjproject that contains the patch.


Affected Versions

Product

Release Series


Asterisk Open Source

13.x

All versions

Asterisk Open Source

16.x

All versions

Asterisk Open Source

17.x

All versions

Asterisk Open Source

18.x

All versions

Certified Asterisk

16.x

All versions


Corrected In

Product

Release

Asterisk Open Source

13.38.3, 16.19.1, 17.9.4, 18.5.1

Certified Asterisk

16.8-cert10




Patches

Patch URL

Revision

https://downloads.digium.com/pub/security/AST-2021-009-13.diff

Asterisk 13

https://downloads.digium.com/pub/security/AST-2021-009-16.diff

Asterisk 16

https://downloads.digium.com/pub/security/AST-2021-009-17.diff

Asterisk 17

https://downloads.digium.com/pub/security/AST-2021-009-18.diff

Asterisk 18

https://downloads.digium.com/pub/security/AST-2021-009-16.8.diff

Certified Asterisk 16.8



Links

https://issues.asterisk.org/jira/browse/ASTERISK-29415

https://downloads.asterisk.org/pub/security/AST-2021-009.html

https://github.com/pjsip/pjproject/security/advisories/GHSA-cv8x-p47p-99wr


Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2021-009.pdf and https://downloads.digium.com/pub/security/AST-2021-009.html


Revision History

Date

Editor

Revisions Made

June 14, 2021

Kevin Harwell

Initial revision


Asterisk Project Security Advisory - AST-2021-009
Copyright © 2021 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.