CVE-2019-18976
📋 TL;DR
A NULL pointer dereference vulnerability in Asterisk's PJSIP T.38 fax handling causes crashes when receiving malformed re-invite messages. This affects Asterisk through 13.x and Certified Asterisk through 13.21-x. Systems using SIP with T.38 fax capabilities are vulnerable to denial of service attacks.
💻 Affected Systems
- Sangoma Asterisk
- Certified Asterisk
📦 What is this software?
Asterisk by Digium
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption through repeated crashes, potentially leading to extended downtime of telephony services.
Likely Case
Service interruption and denial of service affecting telephony functionality when targeted with malformed SIP messages.
If Mitigated
Minimal impact with proper network segmentation and monitoring to detect and block malicious traffic.
🎯 Exploit Status
Exploitation requires sending malformed SIP re-invite messages with specific SDP conditions (port 0, no c line).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Asterisk 13.38.1, 16.6.1, 17.0.1 or later; Certified Asterisk 13.21-cert3 or later
Vendor Advisory: http://downloads.asterisk.org/pub/security/AST-2019-008.html
Restart Required: Yes
Instructions:
1. Download and install patched version from Asterisk downloads. 2. Stop Asterisk service. 3. Install update. 4. Restart Asterisk service. 5. Verify version with 'asterisk -V'.
🔧 Temporary Workarounds
Disable T.38 fax support
allDisable T.38 fax capabilities in PJSIP configuration if not required
Edit pjsip.conf and remove or comment out T.38 related configurations
Restart Asterisk: 'asterisk -rx "core restart now"'
Network filtering
allBlock SIP re-invite messages with port 0 in SDP at network perimeter
Configure firewall/IPS to drop SIP packets with 'm=image 0' in SDP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Asterisk servers from untrusted networks
- Deploy intrusion prevention systems to detect and block malformed SIP packets targeting this vulnerability
🔍 How to Verify
Check if Vulnerable:
Check Asterisk version: 'asterisk -V' and compare with affected versions. Also check if PJSIP and T.38 are enabled in configuration.Check Version:
asterisk -VVerify Fix Applied:
Verify version is patched: 'asterisk -V' should show 13.38.1, 16.6.1, 17.0.1 or later, or Certified Asterisk 13.21-cert3 or later.📡 Detection & Monitoring
Log Indicators:
- Asterisk crash logs
- SIP re-invite messages with port 0 in logs
- Segmentation fault errors in system logs
Network Indicators:
- SIP INVITE packets with SDP containing 'm=image 0'
- Unusual SIP traffic patterns targeting T.38 endpoints
SIEM Query:
source="asterisk.log" AND ("segmentation fault" OR "NULL pointer" OR "SIP re-invite" AND "port 0")🔗 References
- http://downloads.asterisk.org/pub/security/AST-2019-008.html
- https://lists.debian.org/debian-lts-announce/2022/04/msg00001.html
- https://packetstormsecurity.com/files/155436/Asterisk-Project-Security-Advisory-AST-2019-008.html
- https://seclists.org/fulldisclosure/2019/Nov/20
- https://www.asterisk.org/downloads/security-advisories
- https://www.cybersecurity-help.cz/vdb/SB2019112218?affChecked=1
- http://downloads.asterisk.org/pub/security/AST-2019-008.html
- https://lists.debian.org/debian-lts-announce/2022/04/msg00001.html
- https://packetstormsecurity.com/files/155436/Asterisk-Project-Security-Advisory-AST-2019-008.html
- https://seclists.org/fulldisclosure/2019/Nov/20
- https://www.asterisk.org/downloads/security-advisories
- https://www.cybersecurity-help.cz/vdb/SB2019112218?affChecked=1
