Asterisk Project Security Advisory -

         Product        Asterisk                                              
         Summary        Re-invite with T.38 and malformed SDP causes crash.   
    Nature of Advisory  Remote Crash                                          
      Susceptibility    Remote Authenticated Sessions                         
         Severity       Minor                                                 
      Exploits Known    No                                                    
       Reported On      November 07, 2019                                     
       Reported By      Salah Ahmed                                           
        Posted On       November 21, 2019                                     
     Last Updated On    November 21, 2019                                     
     Advisory Contact   bford AT sangoma DOT com                              
         CVE Name       CVE-2019-18976                                        

      Description     If Asterisk receives a re-invite initiating T.38        
                      faxing and has a port of 0 and no c line in the SDP, a  
                      crash will occur.                                       
    Modules Affected  res_pjsip_t38.c                                         

    Resolution  If T.38 faxing is not needed, then the “t38_udptl”            
                configuration option in pjsip.conf can be set to “no” to      
                disable the functionality. This option automatically          
                defaults to “no” and would have to be manually turned on to   
                experience this crash.                                        
                                                                              
                If T.38 faxing is needed, then Asterisk should be upgraded    
                to a fixed version.                                           

                               Affected Versions       
                         Product                       Release  
                                                       Series   
                  Asterisk Open Source                  13.x    All versions  
                   Certified Asterisk                   13.21   All versions  

                                  Corrected In                   
                              Product                              Release    
                       Asterisk Open Source                        13.29.2    
                        Certified Asterisk                       13.21-cert5  

                                     Patches                         
                               SVN URL                                Revision   
  http://downloads.asterisk.org/pub/security/AST-2019-008-13.diff    Asterisk 13 
  http://downloads.asterisk.org/pub/security/AST-2019-008-13.21.diff Certified   
                                                                     Asterisk    
                                                                     13.21-cert5 

    Links  https://issues.asterisk.org/jira/browse/ASTERISK-28612             

    Asterisk Project Security Advisories are posted at                        
    http://www.asterisk.org/security                                          
                                                                              
    This document may be superseded by later versions; if so, the latest      
    version will be posted at http://downloads.digium.com/pub/security/.pdf   
    and http://downloads.digium.com/pub/security/.html                        

                                Revision History
          Date          Editor                 Revisions Made                 
    November 12, 2019  Ben Ford  Initial Revision                             
    November 21, 2019  Ben Ford  Added “Posted On” date                       

                      Asterisk Project Security Advisory -
               Copyright © 2019 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.