security advisorycriticaldebian Multiple security issues were discovered in asterisk, an Open Source Private Branch Exchange (PBX). CVE-2019-13161 . - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2969-1 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/lts/security/ Abhijith PA April 03, 2022 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : asterisk Version : 1:13.14.1~dfsg-2+deb9u6 CVE ID : CVE-2019-13161 CVE-2019-18610 CVE-2019-18790 CVE-2019-18976 CVE-2020-28242 Multiple security issues were discovered in asterisk, an Open Source Private Branch Exchange (PBX). CVE-2019-13161 A pointer dereference in chan_sip while handling SDP negotiation allows an attacker to crash Asterisk CVE-2019-18610 A remote authenticated Asterisk Manager Interface (AMI) user without system authorization could use a specially crafted Originate AMI request to execute arbitrary system commands CVE-2019-18790 A SIP request can be sent to Asterisk that can change a SIP peer's IP address. A REGISTER does not need to occur, and calls can be hijacked as a result. The only thing that needs to be known is the peer's name; authentication details such as passwords do not need to be known. This vulnerability is only exploitable when the nat option is set to the default, or auto_force_rport. CVE-2019-18976 A NULL pointer dereference and crash will occur when asterisk receives a re-invite initiating T.38 faxing and has a port of 0 and no c line in the SDP CVE-2020-28242 If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate (even if the call is hung up), ultimatelyleading to a restart or shutdown of Asterisk For Debian 9 stretch, these problems have been fixed in version 1:13.14.1~dfsg-2+deb9u6. We recommend that you upgrade your asterisk packages. For the detailed security status of asterisk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/source-package/asterisk Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS . The recent patch for Asterisk resolves various vulnerabilities within Debian LTS, improving both resilience and defense against potential threats.. Debian LTS Asterisk Update, System Command Exploits, Private Branch Exchange Security. . Severity: Critical. LinuxSecurity.com Team
Apr 03, 2022 •Critical Debian LTS 
Refine advisories
