CVE-2021-26717
published 2021-02-18CVE-2021-26717: An issue was discovered in Sangoma Asterisk 16.x before 16.16.1, 17.x before 17.9.2, and 18.x before 18.2.1 and Certified Asterisk before 16.8-cert6. When…
PriorityP340high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
2.18%
80.1th percentile
An issue was discovered in Sangoma Asterisk 16.x before 16.16.1, 17.x before 17.9.2, and 18.x before 18.2.1 and Certified Asterisk before 16.8-cert6. When re-negotiating for T.38, if the initial remote response was delayed just enough, Asterisk would send both audio and T.38 in the SDP. If this happened, and the remote responded with a declined T.38 stream, then Asterisk would crash.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | asterisk | < asterisk 1:16.16.1~dfsg-1 (bullseye) | asterisk 1:16.16.1~dfsg-1 (bullseye) |
| digium | asterisk | >= 0 < 1:16.16.1~dfsg-1 | 1:16.16.1~dfsg-1 |
| digium | asterisk | >= 16.0.0 < 16.16.1 | 16.16.1 |
| digium | asterisk | >= 17.0.0 < 17.9.2 | 17.9.2 |
| digium | asterisk | >= 18.0 < 18.2.1 | 18.2.1 |
| digium | certified_asterisk | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9mrj-wq9r-h4vw: An issue was discovered in Sangoma Asterisk 16
ghsa_unreviewed·2022-05-24
CVE-2021-26717 [HIGH] GHSA-9mrj-wq9r-h4vw: An issue was discovered in Sangoma Asterisk 16
An issue was discovered in Sangoma Asterisk 16.x before 16.16.1, 17.x before 17.9.2, and 18.x before 18.2.1 and Certified Asterisk before 16.8-cert6. When re-negotiating for T.38, if the initial remote response was delayed just enough, Asterisk would send both audio and T.38 in the SDP. If this happened, and the remote responded with a declined T.38 stream, then Asterisk would crash.
OSV
CVE-2021-26717: An issue was discovered in Sangoma Asterisk 16
osv·2021-02-18·CVSS 7.5
CVE-2021-26717 [HIGH] CVE-2021-26717: An issue was discovered in Sangoma Asterisk 16
An issue was discovered in Sangoma Asterisk 16.x before 16.16.1, 17.x before 17.9.2, and 18.x before 18.2.1 and Certified Asterisk before 16.8-cert6. When re-negotiating for T.38, if the initial remote response was delayed just enough, Asterisk would send both audio and T.38 in the SDP. If this happened, and the remote responded with a declined T.38 stream, then Asterisk would crash.
Debian
CVE-2021-26717: asterisk - An issue was discovered in Sangoma Asterisk 16.x before 16.16.1, 17.x before 17....
vendor_debian·2021·CVSS 7.5
CVE-2021-26717 [HIGH] CVE-2021-26717: asterisk - An issue was discovered in Sangoma Asterisk 16.x before 16.16.1, 17.x before 17....
An issue was discovered in Sangoma Asterisk 16.x before 16.16.1, 17.x before 17.9.2, and 18.x before 18.2.1 and Certified Asterisk before 16.8-cert6. When re-negotiating for T.38, if the initial remote response was delayed just enough, Asterisk would send both audio and T.38 in the SDP. If this happened, and the remote responded with a declined T.38 stream, then Asterisk would crash.
Scope: local
bullseye: resolved (fixed in 1:16.16.1~dfsg-1)
sid: resolved (fixed in 1:16.16.1~dfsg-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/161471/Asterisk-Project-Security-Advisory-AST-2021-002.htmlhttp://seclists.org/fulldisclosure/2021/Feb/58https://downloads.asterisk.org/pub/security/https://downloads.asterisk.org/pub/security/AST-2021-002.htmlhttps://issues.asterisk.org/jira/browse/ASTERISK-29203http://packetstormsecurity.com/files/161471/Asterisk-Project-Security-Advisory-AST-2021-002.htmlhttp://seclists.org/fulldisclosure/2021/Feb/58https://downloads.asterisk.org/pub/security/https://downloads.asterisk.org/pub/security/AST-2021-002.htmlhttps://issues.asterisk.org/jira/browse/ASTERISK-29203
2021-02-18
Published