Debian 9: DLA-2969-1 Critical: Asterisk Command Execution Exploit
debian lts
April 3, 2022
Multiple security issues were discovered in asterisk, an Open Source Private Branch Exchange (PBX)
Topics Covered
Summary
CVE-2019-13161
A pointer dereference in chan_sip while handling SDP negotiation
allows an attacker to crash Asterisk
CVE-2019-18610
A remote authenticated Asterisk Manager Interface (AMI) user
without system authorization could use a specially crafted
Originate AMI request to execute arbitrary system commands
CVE-2019-18790
A SIP request can be sent to Asterisk that can change a SIP peer's
IP address. A REGISTER does not need to occur, and calls can be
hijacked as a result. The only thing that needs to be known is the
peer's name; authentication details such as passwords do not need
to be known. This vulnerability is only exploitable when the nat
option is set to the default, or auto_force_rport.
CVE-2019-18976
A NULL pointer dereference and crash will occur when asterisk
receives a re-invite initiating T.38 faxing and has a port of 0
and no c line in the SDP
CVE-2020-28242
PREVIOUS 
NEXT Severity
critical
Lowest
Low
Medium
High
Critical
Package: asterisk
Version: 1:13.14.1~dfsg-2+deb9u6
CVE ID: CVE-2019-13161 CVE-2019-18610 CVE-2019-18790 CVE-2019-18976
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!