Asterisk Project Security Advisory - AST-2021-009 Product Asterisk Summary pjproject/pjsip: crash when SSL socket destroyed during handshake Nature of Advisory Denial of service Susceptibility Remote unauthenticated sessions Severity Major Exploits Known Yes Reported On May 5, 2021 Reported By Andrew Yager Posted On Last Updated On July 6, 2021 Advisory Contact kharwell AT sangoma DOT com CVE Name CVE-2021-32686 Description Depending on the timing, it’s possible for Asterisk to crash when using a TLS connection if the underlying socket parent/listener gets destroyed during the handshake. Modules Affected bundled pjproject Resolution If you use “with-pjproject-bundled” then upgrade to, or install one of, the versions of Asterisk listed below. Otherwise install the appropriate version of pjproject that contains the patch. Affected Versions Product Release Series Asterisk Open Source 13.x All versions Asterisk Open Source 16.x All versions Asterisk Open Source 17.x All versions Asterisk Open Source 18.x All versions Certified Asterisk 16.x All versions Corrected In Product Release Asterisk Open Source 13.38.3, 16.19.1, 17.9.4, 18.5.1 Certified Asterisk 16.8-cert10 Patches Patch URL Revision https://downloads.digium.com/pub/security/AST-2021-009-13.diff Asterisk 13 https://downloads.digium.com/pub/security/AST-2021-009-16.diff Asterisk 16 https://downloads.digium.com/pub/security/AST-2021-009-17.diff Asterisk 17 https://downloads.digium.com/pub/security/AST-2021-009-18.diff Asterisk 18 https://downloads.digium.com/pub/security/AST-2021-009-16.8.diff Certified Asterisk 16.8 Links https://issues.asterisk.org/jira/browse/ASTERISK-29415 https://downloads.asterisk.org/pub/security/AST-2021-009.html https://github.com/pjsip/pjproject/security/advisories/GHSA-cv8x-p47p-99wr Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2021-009.pdf and https://downloads.digium.com/pub/security/AST-2021-009.html Revision History Date Editor Revisions Made June 14, 2021 Kevin Harwell Initial revision Asterisk Project Security Advisory - AST-2021-009 Copyright © 2021 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.