Asterisk Project Security Advisory - AST-2016-006 Product Asterisk Summary Crash on ACK from unknown endpoint Nature of Advisory Remote Crash Susceptibility Remote unauthenticated sessions Severity Critical Exploits Known No Reported On August 3, 2016 Reported By Nappsoft Posted On Last Updated On August 31, 2016 Advisory Contact mark DOT michelson AT digium DOT com CVE Name Description Asterisk can be crashed remotely by sending an ACK to it from an endpoint username that Asterisk does not recognize. Most SIP request types result in an "artificial" endpoint being looked up, but ACKs bypass this lookup. The resulting NULL pointer results in a crash when attempting to determine if ACLs should be applied. This issue was introduced in the Asterisk 13.10 release and only affects that release. This issue only affects users using the PJSIP stack with Asterisk. Those users that use chan_sip are unaffected. Resolution ACKs now result in an artificial endpoint being looked up just like other SIP request types. Affected Versions Product Release Series Asterisk Open Source 11.x Unaffected Asterisk Open Source 13.x 13.10.0 Certified Asterisk 11.6 Unaffected Certified Asterisk 13.8 Unaffected Corrected In Product Release Asterisk Open Source 13.11.1 Patches SVN URL Revision Links Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2016-006.pdf and http://downloads.digium.com/pub/security/AST-2016-006.html Revision History Date Editor Revisions Made August 16, 2016 Mark Michelson Initial draft of Advisory Asterisk Project Security Advisory - AST-2016-006 Copyright (c) 2016 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.