Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

CVE-2019-13161

Disclosure Date: July 12, 2019 •

CVE-2019-13161 CVSS v3 Base Score: 5.3

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

An issue was discovered in Asterisk Open Source through 13.27.0, 14.x and 15.x through 15.7.2, and 16.x through 16.4.0, and Certified Asterisk through 13.21-cert3. A pointer dereference in chan_sip while handling SDP negotiation allows an attacker to crash Asterisk when handling an SDP answer to an outgoing T.38 re-invite. To exploit this vulnerability an attacker must cause the chan_sip module to send a T.38 re-invite request to them. Upon receipt, the attacker must send an SDP answer containing both a T.38 UDPTL stream and another media stream containing only a codec (which is not permitted according to the chan_sip configuration).

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

5.3 Medium

Impact Score:

3.6

Exploitability Score:

1.6

Vector:

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

High

Privileges Required (PR):

Low

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

None

Integrity (I):

None

Availability (A):

High

Vendors

debian,
digium

Products

asterisk,
certified asterisk 1.8.0.0,
certified asterisk 1.8.1.0,
certified asterisk 1.8.10.0,
certified asterisk 1.8.11,
certified asterisk 1.8.11.0,
certified asterisk 1.8.12.0,
certified asterisk 1.8.13.0,
certified asterisk 1.8.14.0,
certified asterisk 1.8.15,
certified asterisk 1.8.2.0,
certified asterisk 1.8.28,
certified asterisk 1.8.28.0,
certified asterisk 1.8.3.0,
certified asterisk 1.8.4.0,
certified asterisk 1.8.5.0,
certified asterisk 1.8.6.0,
certified asterisk 1.8.7.0,
certified asterisk 1.8.8.0,
certified asterisk 1.8.9.0,
certified asterisk 11.0.0,
certified asterisk 11.1.0,
certified asterisk 11.2,
certified asterisk 11.3.0,
certified asterisk 11.4.0,
certified asterisk 11.5.0,
certified asterisk 11.6,
certified asterisk 11.6.0,
certified asterisk 13.1,
certified asterisk 13.1.0,
certified asterisk 13.13,
certified asterisk 13.13-cert2,
certified asterisk 13.18,
certified asterisk 13.21,
certified asterisk 13.8,
certified asterisk 13.8.0,
debian linux 8.0,
debian linux 9.0

References

Canonical

CVE-2019-13161 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13161)

Advisory

http://downloads.digium.com/pub/security/AST-2019-003.html

https://issues.asterisk.org/jira/browse/ASTERISK-28465

[debian-lts-announce] 20191130 [SECURITY] [DLA 2017-1] asterisk security update (https://lists.debian.org/debian-lts-announce/2019/11/msg00038.html)

[debian-lts-announce] 20220403 [SECURITY] [DLA 2969-1] asterisk security update (https://lists.debian.org/debian-lts-announce/2022/04/msg00001.html)

Rapid7

Unknown

CVE-2019-13161

Unknown

Unknown

None

Low

Network

CVE-2019-13161

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Advisory

Additional Info

Technical Analysis

Unknown

CVE-2019-13161

Unknown

Unknown

None

Low

Network

CVE-2019-13161

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Advisory

Additional Info

Technical Analysis

Quick Cookie Notification