Asterisk Project Security Advisory - AST-2016-004 Product Asterisk Summary Long Contact URIs in REGISTER requests can crash Asterisk Nature of Advisory Remote Crash Susceptibility Remote Authenticated Sessions Severity Major Exploits Known No Reported On January 19, 2016 Reported By George Joseph Posted On Last Updated On February 10, 2016 Advisory Contact Mark Michelson <mmichelson AT digium DOT com> CVE Name Description Asterisk may crash when processing an incoming REGISTER request if that REGISTER contains a Contact header with a lengthy URI. This crash will only happen for requests that pass authentication. Unauthenticated REGISTER requests will not result in a crash occurring. This vulnerability only affects Asterisk when using PJSIP as its SIP stack. The chan_sip module does not have this problem. Resolution Measures have been put in place to ensure that REGISTER requests with long Contact URIs are rejected instead of causing a crash. Affected Versions Product Release Series Asterisk Open Source 11.x Unaffected Asterisk Open Source 13.x All versions Certified Asterisk 11.6 Unaffected Certified Asterisk 13.1 All versions Corrected In Product Release Asterisk Open Source 13.8.1 Certified Asterisk 13.1-cert5 Patches SVN URL Revision Links Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2016-004.pdf and http://downloads.digium.com/pub/security/AST-2016-004.html Revision History Date Editor Revisions Made February 10, 2016 Mark Michelson Initial creation Asterisk Project Security Advisory - AST-2016-004 Copyright (c) 2016 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.