CVE-2019-18976

An issue was discovered in res_pjsip_t38.c in Sangoma Asterisk through 13.x and Certified Asterisk through 13.21-x. If it receives a re-invite initiating T.38 faxing and has a port of 0 and no c line in the SDP, a NULL pointer dereference and crash will occur. This is different from CVE-2019-18940.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 38%
VendorProductVersion
digiumasterisk
13.0.0 ≤
𝑥
≤ 13.29.1
digiumcertified_asterisk
13.21
digiumcertified_asterisk
13.21:cert1
digiumcertified_asterisk
13.21:cert2
digiumcertified_asterisk
13.21:cert3
digiumcertified_asterisk
13.21:cert4
debiandebian_linux
9.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
asterisk
bullseye
1:16.28.0~dfsg-0+deb11u4
fixed
jessie
not-affected
bullseye (security)
1:16.28.0~dfsg-0+deb11u5
fixed
sid
1:22.0.0~dfsg+~cs6.14.60671435-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
asterisk
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
not-affected
focal
not-affected
eoan
not-affected
disco
not-affected
bionic
needs-triage
xenial
needs-triage
trusty
dne
Common Weakness Enumeration
References
http://downloads.asterisk.org/pub/security/AST-2019-008.html
https://lists.debian.org/debian-lts-announce/2022/04/msg00001.html
https://packetstormsecurity.com/files/155436/Asterisk-Project-Security-Advisory-AST-2019-008.html
https://seclists.org/fulldisclosure/2019/Nov/20
https://www.asterisk.org/downloads/security-advisories
https://www.cybersecurity-help.cz/vdb/SB2019112218?affChecked=1
http://downloads.asterisk.org/pub/security/AST-2019-008.html
https://lists.debian.org/debian-lts-announce/2022/04/msg00001.html
https://packetstormsecurity.com/files/155436/Asterisk-Project-Security-Advisory-AST-2019-008.html
https://seclists.org/fulldisclosure/2019/Nov/20
https://www.asterisk.org/downloads/security-advisories
https://www.cybersecurity-help.cz/vdb/SB2019112218?affChecked=1