CVE-2016-9938

CVSS V2 Medium 5 CVSS V3 Medium 5.3
Description
An issue was discovered in Asterisk Open Source 11.x before 11.25.1, 13.x before 13.13.1, and 14.x before 14.2.1 and Certified Asterisk 11.x before 11.6-cert16 and 13.x before 13.8-cert4. The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace. This means that headers such as Contact\x01: will be seen as a valid Contact header. This mostly does not pose a problem until Asterisk is placed in tandem with an authenticating SIP proxy. In such a case, a crafty combination of valid and invalid To headers can cause a proxy to allow an INVITE request into Asterisk without authentication since it believes the request is an in-dialog request. However, because of the bug described above, the request will look like an out-of-dialog request to Asterisk. Asterisk will then process the request as a new call. The result is that Asterisk can process calls from unvetted sources without any authentication. If you do not use a proxy for authentication, then this issue does not affect you. If your proxy is dialog-aware (meaning that the proxy keeps track of what dialogs are currently valid), then this issue does not affect you. If you use chan_pjsip instead of chan_sip, then this issue does not affect you.
Overview
  • CVE ID
  • CVE-2016-9938
  • Assigner
  • cve@mitre.org
  • Vulnerability Status
  • Modified
  • Published Version
  • 2016-12-12T21:59:01
  • Last Modified Date
  • 2017-07-27T01:29:07
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:digium:asterisk:11.0.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.0.0:beta1:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.0.0:beta2:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.0.0:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.0.0:rc2:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.0.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.0.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.1.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.1.0:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.1.0:rc3:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.1.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.1.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.2.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.2.0:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.2.0:rc2:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.2.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.2.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.3.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.4.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.5.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.5.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.6.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.6.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.7.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.8.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.8.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.9.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.10.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.10.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.10.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.11.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.12.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.12.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.13.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.13.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.14.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.14.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.14.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.15.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.15.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.16.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.17.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.17.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.18.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.19.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.20.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.21.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.21.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.21.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.22.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.22.0:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.23.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.23.0:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.23.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.24.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.24.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:11.25.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.0.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.0.0:beta1:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.0.0:beta2:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.0.0:beta3:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.0.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.0.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.1.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.1.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.2.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.2.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.3.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.3.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.3.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.4.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.5.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.6.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.7.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.7.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.7.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.8.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.8.0:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.8.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.8.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.9.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.9.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.10.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.10.0:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.11.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.11.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.11.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.12.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.12.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.12.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:13.13.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:14.0.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:14.0.0:beta1:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:14.0.0:beta2:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:14.0.0:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:14.0.0:rc2:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:14.0.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:14.0.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:14.1.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:14.1.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:14.1.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:asterisk:14.2.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.0.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.0.0:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.0.0:rc2:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.1.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.1.0:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.1.0:rc2:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.1.0:rc3:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.2.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.2.0:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.2.0:rc2:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.3.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.3.0:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.3.0:rc2:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.4.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.4.0:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.4.0:rc2:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.4.0:rc3:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.5.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.5.0:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.5.0:rc2:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.6:cert1:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.6:cert1:*:*:lts:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.6:cert1_rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.6:cert1_rc2:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.6:cert10:*:*:lts:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.6:cert11:*:*:lts:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.6:cert12:*:*:lts:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.6:cert13:*:*:lts:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.6:cert14:*:*:lts:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.6:cert15:*:*:lts:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.6:cert2:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.6:cert2:*:*:lts:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.6:cert3:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.6:cert3:*:*:lts:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.6:cert4:*:*:lts:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.6:cert5:*:*:lts:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.6:cert6:*:*:lts:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.6:cert7:*:*:lts:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.6:cert8:*:*:lts:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.6:cert9:*:*:lts:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.6.0:*:*:*:lts:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.6.0:-:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.6.0:rc1:*:*:*:*:*:* 1 OR
cpe:2.3:a:digium:certified_asterisk:11.6.0:rc2:*:*:*:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:L/Au:N/C:N/I:P/A:N
  • Access Vector
  • NETWORK
  • Access Compatibility
  • LOW
  • Authentication
  • NONE
  • Confidentiality Impact
  • NONE
  • Integrity Impact
  • PARTIAL
  • Availability Impact
  • NONE
  • Base Score
  • 5
  • Severity
  • MEDIUM
  • Exploitability Score
  • 10
  • Impact Score
  • 2.9
CVSS Version 3
  • Version
  • 3.0
  • Vector String
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • LOW
  • Privileges Required
  • NONE
  • User Interaction
  • NONE
  • Scope
  • UNCHANGED
  • Confidentiality Impact
  • NONE
  • Availability Impact
  • NONE
  • Base Score
  • 5.3
  • Base Severity
  • MEDIUM
  • Exploitability Score
  • 3.9
  • Impact Score
  • 1.4
References
History
Created Old Value New Value Data Type Notes
2022-05-10 09:17:49 Added to TrackCVE
2022-12-02 12:22:51 2016-12-12T21:59Z 2016-12-12T21:59:01 CVE Published Date updated
2022-12-02 12:22:51 2017-07-27T01:29:07 CVE Modified Date updated
2022-12-02 12:22:51 Modified Vulnerability Status updated