CVE-2024-42491
published 2024-09-05CVE-2024-42491: Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.24.3, 20.9.3, and 21.4.3 of Asterisk and versions 18.9-cert12 and 20.7-cert2 of…
PriorityP429medium5.7CVSS 3.1
AVNACLPRLUIRSUCNINAH
EPSS
0.55%
42.0th percentile
Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.24.3, 20.9.3, and 21.4.3 of Asterisk and versions 18.9-cert12 and 20.7-cert2 of certified-asterisk, if Asterisk attempts to send a SIP request to a URI whose host portion starts with `.1` or `[.1]`, and res_resolver_unbound is loaded, Asterisk will crash with a SEGV. To receive a patch, users should upgrade to one of the following versions: 18.24.3, 20.9.3, 21.4.3, certified-18.9-cert12, certified-20.7-cert2. Two workarounds are available. Disable res_resolver_unbound by setting `noload = res_resolver_unbound.so` in modules.conf, or set `rewrite_contact = yes` on all PJSIP endpoints. NOTE: This may not be appropriate for all Asterisk configurations.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| asterisk | asterisk | < 18.24.3 | 18.24.3 |
| asterisk | asterisk | < 18.9-cert12 | 18.9-cert12 |
| asterisk | asterisk | — | — |
| asterisk | asterisk | — | — |
| asterisk | asterisk | — | — |
| asterisk | asterisk | >= 0 < 1:16.28.0~dfsg-0+deb11u5 | 1:16.28.0~dfsg-0+deb11u5 |
| debian | asterisk | < asterisk 1:16.28.0~dfsg-0+deb11u5 (bullseye) | asterisk 1:16.28.0~dfsg-0+deb11u5 (bullseye) |
| sangoma | asterisk | < 18.24.3 | 18.24.3 |
| sangoma | asterisk | >= 20.0.0 < 20.9.3 | 20.9.3 |
| sangoma | asterisk | 21.0.0 – 21.4.3 | — |
| sangoma | certified_asterisk | < 18.9 | 18.9 |
| sangoma | certified_asterisk | — | — |
| sangoma | certified_asterisk | — | — |
CVSS provenance
nvdv3.15.7MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
osv5.7MEDIUM
vendor_debian5.7MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2024-42491: Asterisk is an open-source private branch exchange (PBX)
osv·2024-09-05·CVSS 5.7
CVE-2024-42491 [MEDIUM] CVE-2024-42491: Asterisk is an open-source private branch exchange (PBX)
Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.24.3, 20.9.3, and 21.4.3 of Asterisk and versions 18.9-cert12 and 20.7-cert2 of certified-asterisk, if Asterisk attempts to send a SIP request to a URI whose host portion starts with `.1` or `[.1]`, and res_resolver_unbound is loaded, Asterisk will crash with a SEGV. To receive a patch, users should upgrade to one of the following versions: 18.24.3, 20.9.3, 21.4.3, certified-18.9-cert12, certified-20.7-cert2. Two workarounds are available. Disable res_resolver_unbound by setting `noload = res_resolver_unbound.so` in modules.conf, or set `rewrite_contact = yes` on all PJSIP endpoints. NOTE: This may not be appropriate for all Asterisk configurations.
Debian
CVE-2024-42491: asterisk - Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.2...
vendor_debian·2024·CVSS 5.7
CVE-2024-42491 [MEDIUM] CVE-2024-42491: asterisk - Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.2...
Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.24.3, 20.9.3, and 21.4.3 of Asterisk and versions 18.9-cert12 and 20.7-cert2 of certified-asterisk, if Asterisk attempts to send a SIP request to a URI whose host portion starts with `.1` or `[.1]`, and res_resolver_unbound is loaded, Asterisk will crash with a SEGV. To receive a patch, users should upgrade to one of the following versions: 18.24.3, 20.9.3, 21.4.3, certified-18.9-cert12, certified-20.7-cert2. Two workarounds are available. Disable res_resolver_unbound by setting `noload = res_resolver_unbound.so` in modules.conf, or set `rewrite_contact = yes` on all PJSIP endpoints. NOTE: This may not be appropriate for all Asterisk configurations.
Scope: local
bullseye: resolved (fixed in 1:16.28.0~dfsg-0+deb1
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2024-42491 asterisk: A malformed Contact or Record-Route URI in an incoming SIP request can cause crash [fedora-39]
bugzilla·2024-09-05·CVSS 5.7
CVE-2024-42491 [MEDIUM] CVE-2024-42491 asterisk: A malformed Contact or Record-Route URI in an incoming SIP request can cause crash [fedora-39]
CVE-2024-42491 asterisk: A malformed Contact or Record-Route URI in an incoming SIP request can cause crash [fedora-39]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2310279
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 39 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 39 on 2024-11-26.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains
Bugzilla
CVE-2024-42491 asterisk: A malformed Contact or Record-Route URI in an incoming SIP request can cause crash [fedora-40]
bugzilla·2024-09-05·CVSS 5.7
CVE-2024-42491 [MEDIUM] CVE-2024-42491 asterisk: A malformed Contact or Record-Route URI in an incoming SIP request can cause crash [fedora-40]
CVE-2024-42491 asterisk: A malformed Contact or Record-Route URI in an incoming SIP request can cause crash [fedora-40]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2310279
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 40 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 40 on 2025-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains
Bugzilla
CVE-2024-42491 asterisk: A malformed Contact or Record-Route URI in an incoming SIP request can cause crash [epel-8]
bugzilla·2024-09-05·CVSS 5.7
CVE-2024-42491 [MEDIUM] CVE-2024-42491 asterisk: A malformed Contact or Record-Route URI in an incoming SIP request can cause crash [epel-8]
CVE-2024-42491 asterisk: A malformed Contact or Record-Route URI in an incoming SIP request can cause crash [epel-8]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2310279
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
The issue (CVE-2024-42491) is addressed in Asterisk version 18.25.0. The fix is now available via the asterisk-18.26.4 update for EPEL 8 and EPEL 9.
---
FEDORA-EPEL-2026-f2281acb03 (asterisk-18.26.4-1.el8) has been submitted as an update to Fedora EPEL 8.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-202
https://github.com/asterisk/asterisk/commit/42a2f4ccfa2c7062a15063e765916b3332e34cc4https://github.com/asterisk/asterisk/commit/4f01669c7c41c9184f3cce9a3cf1b2ebf6201742https://github.com/asterisk/asterisk/commit/50bf8d4d3064930d28ecf1ce3397b14574d514d2https://github.com/asterisk/asterisk/commit/7a0090325bfa9d778a39ae5f7d0a98109e4651c8https://github.com/asterisk/asterisk/commit/a15050650abf09c10a3c135fab148220cd41d3a0https://github.com/asterisk/asterisk/security/advisories/GHSA-v428-g3cw-7hv9https://lists.debian.org/debian-lts-announce/2024/10/msg00016.html
2024-09-05
Published