What is the severity of CVE-2019-18790?

The severity of CVE-2019-18790 is medium (6.5).

Which software versions are affected by CVE-2019-18790?

The affected software versions are Digium Asterisk 13.x (before 13.29.2), 16.x (before 16.6.2), 17.x (before 17.0.1), and Digium Certified Asterisk 13.21 (before cert5).

What is the vulnerability description of CVE-2019-18790?

CVE-2019-18790 is a vulnerability in Sangoma Asterisk that allows an attacker to change a SIP peer's IP address via a SIP request without the need for a REGISTER.

Are there any references available for CVE-2019-18790?

Yes, you can find the references for CVE-2019-18790 at the following links: [link1], [link2], [link3].

How can I fix CVE-2019-18790?

To fix CVE-2019-18790, update to Sangoma Asterisk version 13.29.2, 16.6.2, 17.0.1, or Certified Asterisk 13.21 cert5.

Vulnerability/
CVE-2019-18790

medium

6.5

CWE

862

22/11/2019

5/8/2024

CVE-2019-18790

First published: Fri Nov 22 2019(Updated: )

An issue was discovered in channels/chan_sip.c in Sangoma Asterisk 13.x before 13.29.2, 16.x before 16.6.2, and 17.x before 17.0.1, and Certified Asterisk 13.21 before cert5. A SIP request can be sent to Asterisk that can change a SIP peer's IP address. A REGISTER does not need to occur, and calls can be hijacked as a result. The only thing that needs to be known is the peer's name; authentication details such as passwords do not need to be known. This vulnerability is only exploitable when the nat option is set to the default, or auto_force_rport.

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
Digium Asterisk	>=13.0.0<13.29.2
Digium Asterisk	>=16.0.0<16.6.2
Digium Asterisk	>=17.0.0<17.0.1
Digium Certified Asterisk	=13.21.0
Digium Certified Asterisk	=13.21.0-cert1
Digium Certified Asterisk	=13.21.0-cert2
Digium Certified Asterisk	=13.21.0-cert3
Digium Certified Asterisk	=13.21.0-cert4
Digium Certified Asterisk	=13.21.0-rc1
Debian Debian Linux	=8.0
Debian Debian Linux	=9.0

Remedy

http://downloads.asterisk.org/pub/security/AST-2019-006.html

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2019-18790?
The severity of CVE-2019-18790 is medium (6.5).
Which software versions are affected by CVE-2019-18790?
The affected software versions are Digium Asterisk 13.x (before 13.29.2), 16.x (before 16.6.2), 17.x (before 17.0.1), and Digium Certified Asterisk 13.21 (before cert5).
What is the vulnerability description of CVE-2019-18790?
CVE-2019-18790 is a vulnerability in Sangoma Asterisk that allows an attacker to change a SIP peer's IP address via a SIP request without the need for a REGISTER.
Are there any references available for CVE-2019-18790?
Yes, you can find the references for CVE-2019-18790 at the following links: [link1], [link2], [link3].
How can I fix CVE-2019-18790?
To fix CVE-2019-18790, update to Sangoma Asterisk version 13.29.2, 16.6.2, 17.0.1, or Certified Asterisk 13.21 cert5.

collector/nvd-index
agent/severity
agent/references
agent/weakness
agent/author
agent/type
agent/event
agent/description
agent/remedy
agent/last-modified-date
agent/softwarecombine
agent/first-publish-date
agent/tags
collector/mitre-cve
source/MITRE
vendor/digium
canonical/digium asterisk
version/digium asterisk/13.0.0
version/digium asterisk/16.0.0
version/digium asterisk/17.0.0
canonical/digium certified asterisk
version/digium certified asterisk/13.21.0
version/digium certified asterisk/13.21.0-cert1
version/digium certified asterisk/13.21.0-cert2
version/digium certified asterisk/13.21.0-cert3
version/digium certified asterisk/13.21.0-cert4
version/digium certified asterisk/13.21.0-rc1
vendor/debian
canonical/debian debian linux
version/debian debian linux/8.0
version/debian debian linux/9.0