Asterisk Project Security Advisory - AST-2021-002 Product Asterisk Summary Remote crash possible when negotiating T.38 Nature of Advisory Denial of service Susceptibility Remote authenticated sessions Severity Minor Exploits Known No Reported On December 8, 2020 Reported By Gregory Massel Posted On Last Updated On February 5, 2021 Advisory Contact kharwell AT sangoma DOT com CVE Name CVE-2021-26717 Description When re-negotiating for T.38 if the initial remote response was delayed just enough Asterisk would send both audio and T.38 in the SDP. If this happened, and the remote responded with a declined T.38 stream then Asterisk would crash. Modules Affected res_pjsip_session.c, res_pjsip_t38.c Resolution When re-negotiating for T.38, and a delay occurs Asterisk now sends SDP only for the expected T.38 stream. A check was also put in place to ensure an active T.38 media stream is active within Asterisk when attempting to change state for fax. Affected Versions Product Release Series Introduced Asterisk Open Source 16.x 16.15.0 Asterisk Open Source 17.x 17.9.0 Asterisk Open Source 18.x 18.1.0 Certified Asterisk 16.8 16.8-cert4 Corrected In Product Release Asterisk Open Source 16.16.1, 17.9.2, 18.2.1 Certified Asterisk 16.8-cert6 Patches Patch URL Revision https://downloads.asterisk.org/pub/security/AST-2021-002-16.diff Asterisk 16 https://downloads.asterisk.org/pub/security/AST-2021-002-17.diff Asterisk 17 https://downloads.asterisk.org/pub/security/AST-2021-002-18.diff Asterisk 18 https://downloads.asterisk.org/pub/security/AST-2021-002-16.8.diff Certified Asterisk 16.8-cert6 Links https://issues.asterisk.org/jira/browse/ASTERISK-29203 https://downloads.asterisk.org/pub/security/AST-2021-002.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2021-002.pdf and http://downloads.digium.com/pub/security/AST-2021-002.html Revision History Date Editor Revisions Made February 1, 2021 Kevin Harwell Initial revision Asterisk Project Security Advisory - AST-2021-002 Copyright © 2021 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.