CVE-2021-26717 — Asterisk vulnerability

4 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 37.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Digium Asterisk Debian Asterisk Digium Certified Asterisk

Timeline

PublishedFeb 18

Latest updateMay 24

Description

An issue was discovered in Sangoma Asterisk 16.x before 16.16.1, 17.x before 17.9.2, and 18.x before 18.2.1 and Certified Asterisk before 16.8-cert6. When re-negotiating for T.38, if the initial remote response was delayed just enough, Asterisk would send both audio and T.38 in the SDP. If this happened, and the remote responded with a declined T.38 stream, then Asterisk would crash.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDdigium/certified_asterisk16.8

▶NVDdigium/asterisk16.0.0 — 16.16.1+2

▶debiandebian/asterisk< asterisk 1:16.16.1~dfsg-1 (bullseye)

▶Debiandigium/asterisk< 1:16.16.1~dfsg-1

Patches

Patch: seclists.org ↗Patch: issues.asterisk.org ↗Patch: seclists.org ↗

🔴Vulnerability Details

GHSA

GHSA-9mrj-wq9r-h4vw: An issue was discovered in Sangoma Asterisk 16↗2022-05-24

▶

OSV

CVE-2021-26717: An issue was discovered in Sangoma Asterisk 16↗2021-02-18

▶

📋Vendor Advisories

Debian

CVE-2021-26717: asterisk - An issue was discovered in Sangoma Asterisk 16.x before 16.16.1, 17.x before 17....↗2021

▶