CVE-2021-46837
https://notcve.org/view.php?id=CVE-2021-46837
res_pjsip_t38 in Sangoma Asterisk 16.x before 16.16.2, 17.x before 17.9.3, and 18.x before 18.2.2, and Certified Asterisk before 16.8-cert7, allows an attacker to trigger a crash by sending an m=image line and zero port in a response to a T.38 re-invite initiated by Asterisk. This is a re-occurrence of the CVE-2019-15297 symptoms but not for exactly the same reason. The crash occurs because there is an append operation relative to the active topology, but this should instead be a replace operation. La función res_pjsip_t38 en Sangoma Asterisk versiones 16.x anteriores a 16.16.2, 17.x anteriores a 17.9.3, y 18.x anteriores a 18.2.2, y Certified Asterisk anteriores a 16.8-cert7, permite a un atacante desencadenar un fallo mediante el envío de una línea m=image y un puerto cero en una respuesta a una Re invitación T.38 iniciada por Asterisk. Se trata de una reaparición de los síntomas de la CVE-2019-15297 pero no exactamente por el mismo motivo. • https://downloads.asterisk.org/pub/security/AST-2021-006.html https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html https://www.debian.org/security/2022/dsa-5285 • CWE-476: NULL Pointer Dereference •
CVE-2022-23608 – Use after free in PJSIP
https://notcve.org/view.php?id=CVE-2022-23608
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions up to and including 2.11.1 when in a dialog set (or forking) scenario, a hash key shared by multiple UAC dialogs can potentially be prematurely freed when one of the dialogs is destroyed . The issue may cause a dialog set to be registered in the hash table multiple times (with different hash keys) leading to undefined behavior such as dialog list collision which eventually leading to endless loop. A patch is available in commit db3235953baa56d2fb0e276ca510fefca751643f which will be included in the next release. There are no known workarounds for this issue. • http://packetstormsecurity.com/files/166226/Asterisk-Project-Security-Advisory-AST-2022-005.html http://seclists.org/fulldisclosure/2022/Mar/1 https://github.com/pjsip/pjproject/commit/db3235953baa56d2fb0e276ca510fefca751643f https://github.com/pjsip/pjproject/security/advisories/GHSA-ffff-m5fm-qm62 https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html https://lists.debian.org/debian-lts-announce/2022/03/msg00040.html https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html https:/ • CWE-416: Use After Free •
CVE-2022-21723 – Out-of-bounds read in multipart parsing in PJSIP
https://notcve.org/view.php?id=CVE-2022-21723
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions 2.11.1 and prior, parsing an incoming SIP message that contains a malformed multipart can potentially cause out-of-bound read access. This issue affects all PJSIP users that accept SIP multipart. The patch is available as commit in the `master` branch. There are no known workarounds. • http://packetstormsecurity.com/files/166227/Asterisk-Project-Security-Advisory-AST-2022-006.html http://seclists.org/fulldisclosure/2022/Mar/2 https://github.com/pjsip/pjproject/commit/077b465c33f0aec05a49cd2ca456f9a1b112e896 https://github.com/pjsip/pjproject/security/advisories/GHSA-7fw8-54cv-r7pm https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html https:/ • CWE-125: Out-of-bounds Read •
CVE-2021-37706 – Potential integer underflow upon receiving STUN message in PJSIP
https://notcve.org/view.php?id=CVE-2021-37706
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all users that use STUN. A malicious actor located within the victim’s network may forge and send a specially crafted UDP (STUN) message that could remotely execute arbitrary code on the victim’s machine. Users are advised to upgrade as soon as possible. • http://packetstormsecurity.com/files/166225/Asterisk-Project-Security-Advisory-AST-2022-004.html http://seclists.org/fulldisclosure/2022/Mar/0 https://github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865 https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984 https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html https:/ • CWE-191: Integer Underflow (Wrap or Wraparound) •
CVE-2020-28327
https://notcve.org/view.php?id=CVE-2020-28327
A res_pjsip_session crash was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1. and Certified Asterisk before 16.8-cert5. Upon receiving a new SIP Invite, Asterisk did not return the created dialog locked or referenced. This caused a gap between the creation of the dialog object, and its next use by the thread that created it. Depending on some off-nominal circumstances and timing, it was possible for another thread to free said dialog in this gap. Asterisk could then crash when the dialog object, or any of its dependent objects, were dereferenced or accessed next by the initial-creation thread. • http://downloads.asterisk.org/pub/security/AST-2020-001.html https://issues.asterisk.org/jira/browse/ASTERISK-29057 • CWE-404: Improper Resource Shutdown or Release •