Asterisk Project Security Advisory - AST-2021-001 Product Asterisk Summary Remote crash in res_pjsip_diversion Nature of Advisory Denial of service Susceptibility Remote authenticated sessions Severity Moderate Exploits Known No Reported On December 28 2020 Reported By Ivan Poddubny Posted On January 04 2021 Last Updated On January 04 2021 Advisory Contact gjoseph AT sangoma DOT com CVE Name CVE-2020-35776 Description If a registered user is tricked into dialing a malicious number that sends lots of 181 responses to Asterisk, each one will cause a 181 to be sent back to the original caller with an increasing number of entries in the “Supported” header. Eventually the number of entries in the header exceeds the size of the entry array and causes a crash. Modules Affected res_pjsip_diversion.c Resolution Before updating the “Supported” header with a new entry, Asterisk now checks that the entry doesn’t already exist and that adding an entry won’t exceed the size of the entry array. Affected Versions Product Release Series Asterisk Open Source 13.X 13.38.1 Asterisk Open Source 16.X 16.15.1 Asterisk Open Source 17.X 17.9.1 Asterisk Open Source 18.X 18.1.1 Corrected In Product Release Asterisk Open Source 13.38.2, 16.16.1, 17.9.2, 18.2.1 Patches Patch URL Revision https://downloads.digium.com/pub/security/AST-2021-001-13.diff 13.38.2 https://downloads.digium.com/pub/security/AST-2021-001-16.diff 16.16.1 https://downloads.digium.com/pub/security/AST-2021-001-17.diff 17.9.2 https://downloads.digium.com/pub/security/AST-2021-001-18.diff 18.2.1 Links https://issues.asterisk.org/jira/browse/ASTERISK-29227 https://downloads.asterisk.org/pub/security/AST-2021-001.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2021-001.pdf and https://downloads.digium.com/pub/security/AST-2021-001.html Revision History Date Editor Revisions Made December 29, 2020 George Joseph Initial revision Asterisk Project Security Advisory - AST-2021-001 Copyright © 2020 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.