CVE-2016-9937 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Asterisk

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer4 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 43.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Digium Asterisk Debian Asterisk

Timeline

PublishedDec 12

Latest updateMay 17

Description

An issue was discovered in Asterisk Open Source 13.12.x and 13.13.x before 13.13.1 and 14.x before 14.2.1. If an SDP offer or answer is received with the Opus codec and with the format parameters separated using a space the code responsible for parsing will recursively call itself until it crashes. This occurs as the code does not properly handle spaces separating the parameters. This does NOT require the endpoint to have Opus configured in Asterisk. This also does not require the endpoint to be…

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDdigium/asterisk9 versions+8

▶debiandebian/asterisk

Patches

Patch: downloads.asterisk.org ↗Patch: downloads.asterisk.org ↗Patch: downloads.asterisk.org ↗

🔴Vulnerability Details

GHSA

GHSA-6qm8-8j44-j9h2: An issue was discovered in Asterisk Open Source 13↗2022-05-17

▶

📋Vendor Advisories

Debian

CVE-2016-9937: asterisk - An issue was discovered in Asterisk Open Source 13.12.x and 13.13.x before 13.13...↗2016

▶

💬Community

Bugzilla

CVE-2016-9937 asterisk: Crash on SDP offer or answer from endpoint using Opus↗2016-12-12

▶