CVE-2021-32558
First published: Tue Jul 27 2021(Updated: )
An issue was discovered in Sangoma Asterisk 13.x before 13.38.3, 16.x before 16.19.1, 17.x before 17.9.4, and 18.x before 18.5.1, and Certified Asterisk before 16.8-cert10. If the IAX2 channel driver receives a packet that contains an unsupported media format, a crash can occur.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/asterisk | <=1:16.2.1~dfsg-1+deb10u2 | 1:16.28.0~dfsg-0+deb10u3 1:16.28.0~dfsg-0+deb11u3 1:20.4.0~dfsg+~cs6.13.40431414-2 |
| Asterisk | >=13.0.0<13.38.3 | |
| Asterisk | >=16.0.0<16.19.1 | |
| Asterisk | >=17.0.0<17.9.4 | |
| Asterisk | >=18.0.0<18.15.1 | |
| Digium Asterisk Appliance Developer Kit | =16.8 | |
| Digium Asterisk Appliance Developer Kit | =16.8-cert1-rc1 | |
| Digium Asterisk Appliance Developer Kit | =16.8-cert1-rc2 | |
| Digium Asterisk Appliance Developer Kit | =16.8-cert1-rc3 | |
| Digium Asterisk Appliance Developer Kit | =16.8-cert1-rc4 | |
| Digium Asterisk Appliance Developer Kit | =16.8-cert2 | |
| Digium Asterisk Appliance Developer Kit | =16.8-cert3 | |
| Digium Asterisk Appliance Developer Kit | =16.8-cert4 | |
| Digium Asterisk Appliance Developer Kit | =16.8-cert4-rc1 | |
| Digium Asterisk Appliance Developer Kit | =16.8-cert4-rc2 | |
| Digium Asterisk Appliance Developer Kit | =16.8-cert4-rc3 | |
| Digium Asterisk Appliance Developer Kit | =16.8-cert4-rc4 | |
| Digium Asterisk Appliance Developer Kit | =16.8-cert5 | |
| Digium Asterisk Appliance Developer Kit | =16.8-cert6 | |
| Digium Asterisk Appliance Developer Kit | =16.8-cert7 | |
| Digium Asterisk Appliance Developer Kit | =16.8-cert8 | |
| Digium Asterisk Appliance Developer Kit | =16.8-cert9 | |
| Debian | =9.0 | |
| Debian | =11.0 |
Remedy
http://packetstormsecurity.com/files/163639/Asterisk-Project-Security-Advisory-AST-2021-008.html
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://issues.asterisk.org/jira/browse/ASTERISK-29392
- https://security-tracker.debian.org/tracker/CVE-2021-32558
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32558
- https://downloads.asterisk.org/pub/security/AST-2021-008.html
- https://security-tracker.debian.org/tracker/CVE-2021-32686
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991710
- http://packetstormsecurity.com/files/163639/Asterisk-Project-Security-Advisory-AST-2021-008.html
- http://seclists.org/fulldisclosure/2021/Jul/49
- https://lists.debian.org/debian-lts-announce/2021/08/msg00005.html
- https://www.debian.org/security/2021/dsa-4999
Frequently Asked Questions
What is the severity of CVE-2021-32558?
The severity of CVE-2021-32558 is high with a severity value of 7.5.
What is the affected software for CVE-2021-32558?
The affected software for CVE-2021-32558 includes Sangoma Asterisk versions 13.x, 16.x, 17.x, and 18.x, as well as Certified Asterisk.
How can CVE-2021-32558 be exploited?
CVE-2021-32558 can be exploited if the IAX2 channel driver in Sangoma Asterisk receives a packet that contains an unsupported media format.
Is there a fix available for CVE-2021-32558?
Yes, the fix for CVE-2021-32558 is available in Sangoma Asterisk versions 13.38.3, 16.19.1, 17.9.4, 18.5.1, and Certified Asterisk version 16.8-cert10.
Where can I find more information about CVE-2021-32558?
You can find more information about CVE-2021-32558 at the following references: [1] https://issues.asterisk.org/jira/browse/ASTERISK-29392, [2] https://security-tracker.debian.org/tracker/CVE-2021-32558, [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32558
- collector/debian-bugs
- alias/CVE-2021-32558
- collector/security-tracker-debian
- agent/references
- agent/type
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/author
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/digium
- canonical/asterisk
- version/asterisk/13.0.0
- version/asterisk/16.0.0
- version/asterisk/17.0.0
- version/asterisk/18.0.0
- canonical/digium asterisk appliance developer kit
- version/digium asterisk appliance developer kit/16.8
- version/digium asterisk appliance developer kit/16.8-cert1-rc1
- version/digium asterisk appliance developer kit/16.8-cert1-rc2
- version/digium asterisk appliance developer kit/16.8-cert1-rc3
- version/digium asterisk appliance developer kit/16.8-cert1-rc4
- version/digium asterisk appliance developer kit/16.8-cert2
- version/digium asterisk appliance developer kit/16.8-cert3
- version/digium asterisk appliance developer kit/16.8-cert4
- version/digium asterisk appliance developer kit/16.8-cert4-rc1
- version/digium asterisk appliance developer kit/16.8-cert4-rc2
- version/digium asterisk appliance developer kit/16.8-cert4-rc3
- version/digium asterisk appliance developer kit/16.8-cert4-rc4
- version/digium asterisk appliance developer kit/16.8-cert5
- version/digium asterisk appliance developer kit/16.8-cert6
- version/digium asterisk appliance developer kit/16.8-cert7
- version/digium asterisk appliance developer kit/16.8-cert8
- version/digium asterisk appliance developer kit/16.8-cert9
- vendor/debian
- canonical/debian
- version/debian/9.0
- version/debian/11.0