Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   


Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker

Category:   Application (VoIP)  >   Asterisk Vendors:   Digium (Linux Support Services)
Asterisk SIP Request Processing Flaw With Invalid SDP Lets Remote Users Deny Service
SecurityTracker Alert ID:  1028957
SecurityTracker URL:
CVE Reference:   CVE-2013-5642   (Links to External Site)
Updated:  Sep 13 2013
Original Entry Date:  Aug 28 2013
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.8.x, 10.x, 11.x
Description:   A vulnerability was reported in Asterisk. A remote user can cause denial of service conditions.

A remote user can send a specially crafted SIP request with an invalid SDP to cause the target service to crash.

The vendor was notified on July 03, 2013.

Walter Doekes, OSSO B.V., reported this vulnerability.

Impact:   A remote user can cause the target service to crash.
Solution:   The vendor has issued a fix (, 10.12.3, 11.5.1; 1.8.15-cert3, 11.2-cert2).

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   State error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Date:  Tue, 27 Aug 2013 19:26:17 -0500
Subject:  [Full-disclosure] AST-2013-005: Remote Crash when Invalid SDP is sent in SIP Request

               Asterisk Project Security Advisory - AST-2013-005

         Product        Asterisk                                              
         Summary        Remote Crash when Invalid SDP is sent in SIP Request  
    Nature of Advisory  Remote Crash                                          
      Susceptibility    Remote Unauthenticated Sessions                       
         Severity       Major                                                 
      Exploits Known    None                                                  
       Reported On      July 03, 2013                                         
       Reported By      Walter Doekes, OSSO B.V.                              
        Posted On       August 27, 2013                                       
     Last Updated On    August 27, 2013                                       
     Advisory Contact   Matthew Jordan <mjordan AT digium DOT com>            
         CVE Name       Pending                                               

    Description  A remotely exploitable crash vulnerability exists in the     
                 SIP channel driver if an invalid SDP is sent in a SIP        
                 request that defines media descriptions before connection    
                 information. The handling code incorrectly attempts to       
                 reference the socket address information even though that    
                 information has not yet been set.                            

    Resolution  This patch adds checks when handling the various media        
                descriptions that ensures the media descriptions are handled  
                only if we have connection information suitable for that      
                Thanks to Walter Doekes of OSSO B.V. for finding, reporting,  
                testing, and providing the fix for this problem.              

                               Affected Versions
                 Product                Release Series    
          Asterisk Open Source               1.8.x        All Versions        
          Asterisk Open Source               10.x         All Versions        
          Asterisk Open Source               11.x         All Versions        
           Certified Asterisk               1.8.15        All Versions        
           Certified Asterisk                11.2         All Versions        
       Asterisk with Digiumphones      10.x-digiumphones  All Versions        

                                  Corrected In
                  Product                              Release                
            Asterisk Open Source    , 10.12.3, 11.5.1       
             Certified Asterisk                1.8.15-cert3, 11.2-cert2       
         Asterisk with Digiumphones              10.12.3-digiumphones         

                                  SVN URL                                       Revision             Asterisk 1.8              Asterisk 10 Asterisk        
                                                                             10-digiumphones              Asterisk 11          Certified       
                                                                             Asterisk 1.8.15            Certified       
                                                                             Asterisk 11.2   


    Asterisk Project Security Advisories are posted at                                                             
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                             and                        

                                Revision History
          Date                 Editor                  Revisions Made         
    2013-08-27         Matt Jordan              Initial Revision              

               Asterisk Project Security Advisory - AST-2013-005
              Copyright (c) 2013 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

Copyright 2015, LLC