Vulnerability Name:

CVE-2021-32558 (CCN-206252)

Assigned:2021-04-13
Published:2021-04-13
Updated:2021-11-28
Summary:An issue was discovered in Sangoma Asterisk 13.x before 13.38.3, 16.x before 16.19.1, 17.x before 17.9.4, and 18.x before 18.5.1, and Certified Asterisk before 16.8-cert10. If the IAX2 channel driver receives a packet that contains an unsupported media format, a crash can occur.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-74
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2021-32558

Source: MISC
Type: Patch, Third Party Advisory, VDB Entry
http://packetstormsecurity.com/files/163639/Asterisk-Project-Security-Advisory-AST-2021-008.html

Source: FULLDISC
Type: Mailing List, Patch, Third Party Advisory
20210722 AST-2021-008: Remote crash when using IAX2 channel driver

Source: MISC
Type: Patch, Vendor Advisory
https://downloads.asterisk.org/pub/security/AST-2021-008.html

Source: XF
Type: UNKNOWN
asterisk-iax2-cve202132558-dos(206252)

Source: CCN
Type: Asterisk Project Security Advisory - AST-2021-008
chan_iax2: Asterisk crashes when queueing video with format

Source: MISC
Type: Exploit, Issue Tracking, Patch, Vendor Advisory
https://issues.asterisk.org/jira/browse/ASTERISK-29392

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210804 [SECURITY] [DLA 2729-1] asterisk security update

Source: DEBIAN
Type: Third Party Advisory
DSA-4999

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-32558

Vulnerable Configuration:Configuration 1:
  • cpe:/a:digium:asterisk:*:*:*:*:*:*:*:* (Version >= 13.0.0 and < 13.38.3)
  • OR cpe:/a:digium:asterisk:*:*:*:*:*:*:*:* (Version >= 16.0.0 and < 16.19.1)
  • OR cpe:/a:digium:asterisk:*:*:*:*:*:*:*:* (Version >= 17.0.0 and < 17.9.4)
  • OR cpe:/a:digium:asterisk:*:*:*:*:*:*:*:* (Version >= 18.0.0 and < 18.15.1)
  • OR cpe:/a:digium:certified_asterisk:16.8:-:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:16.8:cert1-rc1:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:16.8:cert1-rc2:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:16.8:cert1-rc3:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:16.8:cert1-rc4:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:16.8:cert2:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:16.8:cert3:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:16.8:cert4:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:16.8:cert4-rc1:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:16.8:cert4-rc2:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:16.8:cert4-rc3:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:16.8:cert4-rc4:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:16.8:cert5:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:16.8:cert6:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:16.8:cert7:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:16.8:cert8:*:*:*:*:*:*
  • OR cpe:/a:digium:certified_asterisk:16.8:cert9:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:11.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    digium asterisk *
    digium asterisk *
    digium asterisk *
    digium asterisk *
    digium certified asterisk 16.8 -
    digium certified asterisk 16.8 cert1-rc1
    digium certified asterisk 16.8 cert1-rc2
    digium certified asterisk 16.8 cert1-rc3
    digium certified asterisk 16.8 cert1-rc4
    digium certified asterisk 16.8 cert2
    digium certified asterisk 16.8 cert3
    digium certified asterisk 16.8 cert4
    digium certified asterisk 16.8 cert4-rc1
    digium certified asterisk 16.8 cert4-rc2
    digium certified asterisk 16.8 cert4-rc3
    digium certified asterisk 16.8 cert4-rc4
    digium certified asterisk 16.8 cert5
    digium certified asterisk 16.8 cert6
    digium certified asterisk 16.8 cert7
    digium certified asterisk 16.8 cert8
    digium certified asterisk 16.8 cert9
    debian debian linux 9.0
    debian debian linux 11.0