{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-12-12T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered in Asterisk Open Source 11.x before 11.25.1, 13.x before 13.13.1, and 14.x before 14.2.1 and Certified Asterisk 11.x before 11.6-cert16 and 13.x before 13.8-cert4. The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace. This means that headers such as Contact\\x01: will be seen as a valid Contact header. This mostly does not pose a problem until Asterisk is placed in tandem with an authenticating SIP proxy. In such a case, a crafty combination of valid and invalid To headers can cause a proxy to allow an INVITE request into Asterisk without authentication since it believes the request is an in-dialog request. However, because of the bug described above, the request will look like an out-of-dialog request to Asterisk. Asterisk will then process the request as a new call. The result is that Asterisk can process calls from unvetted sources without any authentication. If you do not use a proxy for authentication, then this issue does not affect you. If your proxy is dialog-aware (meaning that the proxy keeps track of what dialogs are currently valid), then this issue does not affect you. If you use chan_pjsip instead of chan_sip, then this issue does not affect you."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-26T09:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://downloads.asterisk.org/pub/security/AST-2016-009.html"}, {"name": "94789", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/94789"}, {"name": "1037408", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1037408"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-9938", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Asterisk Open Source 11.x before 11.25.1, 13.x before 13.13.1, and 14.x before 14.2.1 and Certified Asterisk 11.x before 11.6-cert16 and 13.x before 13.8-cert4. The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace. This means that headers such as Contact\\x01: will be seen as a valid Contact header. This mostly does not pose a problem until Asterisk is placed in tandem with an authenticating SIP proxy. In such a case, a crafty combination of valid and invalid To headers can cause a proxy to allow an INVITE request into Asterisk without authentication since it believes the request is an in-dialog request. However, because of the bug described above, the request will look like an out-of-dialog request to Asterisk. Asterisk will then process the request as a new call. The result is that Asterisk can process calls from unvetted sources without any authentication. If you do not use a proxy for authentication, then this issue does not affect you. If your proxy is dialog-aware (meaning that the proxy keeps track of what dialogs are currently valid), then this issue does not affect you. If you use chan_pjsip instead of chan_sip, then this issue does not affect you."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://downloads.asterisk.org/pub/security/AST-2016-009.html", "refsource": "CONFIRM", "url": "http://downloads.asterisk.org/pub/security/AST-2016-009.html"}, {"name": "94789", "refsource": "BID", "url": "http://www.securityfocus.com/bid/94789"}, {"name": "1037408", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1037408"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T03:07:31.471Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://downloads.asterisk.org/pub/security/AST-2016-009.html"}, {"name": "94789", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/94789"}, {"name": "1037408", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1037408"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-9938", "datePublished": "2016-12-12T21:00:00", "dateReserved": "2016-12-12T00:00:00", "dateUpdated": "2024-08-06T03:07:31.471Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:digium:asterisk:11.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "F53B8453-F35A-49BE-8129-774BADF71BA7", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.0.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "CCB0C07E-DA2F-4169-848D-C3315CDC1CB3", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.0.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "410C43E6-5912-4C22-A592-7CF94402EEB7", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "D50A355E-1B55-4DD2-8100-EB81AA6FC40E", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "9ADF4230-EFEB-45EC-9C96-0262B4A3E459", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "5234531C-F69A-4B94-A480-147734206C5A", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "321C1066-6800-4488-A7C4-BE91FF738453", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "A9B51588-50A2-40B2-A007-06F57D38C7AA", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.1.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "CDE2B00C-6AC0-4166-8A25-EFC42CE7F737", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.1.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "617FC4AF-D152-4EE1-828D-C2A6AD0DFD3B", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "3A3FE6DC-17FD-4CEE-BDFB-9D4685640381", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "8CEEB6C2-0A6D-4434-8446-CB8605CD3B14", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "F31715AF-5A35-4D0B-8E01-BB6E4CB7E02F", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.2.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "1548C574-CD51-49F6-91B1-B06C504000E4", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.2.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "D56C2C11-4B42-43AB-9DAE-61C15D107160", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "7BE4127D-8123-4408-86D3-08168A4501B9", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "8836F348-66DF-43BC-9962-946018D13127", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "12745DB9-F19D-4507-A9FE-218B7BB29DB3", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "C689A32B-E87D-492F-B3F6-7B80DFA049C8", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "229B7982-9775-42AA-B8F5-FE920CCAA497", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "8788AF7B-CBB6-4D9D-A748-486787935A96", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "868865A1-E074-4DB0-A119-D24C5C53FEF9", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "7B3D89C7-909F-419A-9EE8-A1F0D02934EF", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "50EC8D9D-3483-4080-8000-496343BC8BFD", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "24F62C78-2913-463F-B689-353AB2371E3F", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.8.1:*:*:*:*:*:*:*", "matchCriteriaId": "A70420A8-8571-4528-98E1-72BE00270C6E", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "A276363F-F897-4E6D-9D55-5F5AA73DEE26", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.10.0:*:*:*:*:*:*:*", "matchCriteriaId": "DB16D9D6-A2F6-4C4B-B364-1B63B1FFB5F0", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.10.1:*:*:*:*:*:*:*", "matchCriteriaId": "A0F79D5F-EB28-417A-86DF-053D6EDBA161", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.10.2:*:*:*:*:*:*:*", "matchCriteriaId": "C92ECBCD-1EE3-498A-B3A4-22BF8EFD2EE7", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.11.0:*:*:*:*:*:*:*", "matchCriteriaId": "C4EABFC3-24FA-4441-9F2B-650D90AE5CC6", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.12.0:*:*:*:*:*:*:*", "matchCriteriaId": "2026FD07-103C-4691-AFA4-88C490382F28", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.12.1:*:*:*:*:*:*:*", "matchCriteriaId": "65607103-4284-430A-8212-AC1DCFFFA778", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.13.0:*:*:*:*:*:*:*", "matchCriteriaId": "4061B4C7-8315-450C-866A-C4F3A6BCB1A1", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.13.1:*:*:*:*:*:*:*", "matchCriteriaId": "00099DC9-D437-429B-9D08-F0DFA4942A6C", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.14.0:*:*:*:*:*:*:*", "matchCriteriaId": "EC6047FB-D1BD-4E21-B6BC-E51374C4B0E3", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.14.1:*:*:*:*:*:*:*", "matchCriteriaId": "89504BDC-82F7-4813-9C1E-456C9ACC6FB3", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.14.2:*:*:*:*:*:*:*", "matchCriteriaId": "118C550E-79A8-431E-BADB-710EEEEDC6C7", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.15.0:*:*:*:*:*:*:*", "matchCriteriaId": "4A62DFFE-637B-4911-B3B4-6DA4053CBDBE", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.15.1:*:*:*:*:*:*:*", "matchCriteriaId": "5DF6BC60-23F5-46A1-83F8-F4BCDEF196EF", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.16.0:*:*:*:*:*:*:*", "matchCriteriaId": "9F7C5D35-A6AE-4A2E-98C5-CB58FF22AF08", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.17.0:*:*:*:*:*:*:*", "matchCriteriaId": "D23CE302-AC62-468C-96B3-1EF430825170", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.17.1:*:*:*:*:*:*:*", "matchCriteriaId": "9DCAA174-3CA3-49DB-BA19-D2BCF4F8953F", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.18.0:*:*:*:*:*:*:*", "matchCriteriaId": "FD4D1A5A-99A3-4D23-B40C-BBE11EA5B325", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.19.0:*:*:*:*:*:*:*", "matchCriteriaId": "5EFFAE3F-3B78-49DE-8F01-2E439D9A6F7C", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.20.0:*:*:*:*:*:*:*", "matchCriteriaId": "0501E88B-986A-44C6-A6B5-F2CB9087A8B5", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.21.0:*:*:*:*:*:*:*", "matchCriteriaId": "1D3AF185-7AC6-491E-9BE0-8ECD163A3E77", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.21.1:*:*:*:*:*:*:*", "matchCriteriaId": "400EA2E1-B178-467F-BBC2-1B2ECEDE662A", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.21.2:*:*:*:*:*:*:*", "matchCriteriaId": "6E00A6C7-D3CF-40B5-A586-06E09C5AA1A3", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.22.0:*:*:*:*:*:*:*", "matchCriteriaId": "9E25D043-EE0D-49A5-A468-03EDD9CFE0EC", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.22.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "CA17630B-444D-4AE4-B582-F8106C4EEFDB", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.23.0:*:*:*:*:*:*:*", "matchCriteriaId": "62A20D6B-62FE-440D-BC58-F764AAA5562B", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.23.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F2AE880B-2FA2-42BB-BEBF-771E18FDA141", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.23.1:*:*:*:*:*:*:*", "matchCriteriaId": "AC982D1B-B018-474E-94BE-2157C21276C7", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.24.0:*:*:*:*:*:*:*", "matchCriteriaId": "F26815C8-8E43-4C26-947B-986EFFF0ACE1", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.24.1:*:*:*:*:*:*:*", "matchCriteriaId": "03E8213E-650F-4C95-B9E5-753E7784EF5B", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:11.25.0:*:*:*:*:*:*:*", "matchCriteriaId": "00B8F794-A7F2-4B8F-B36C-55E61DC6939A", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "7B635C21-C193-43AF-A139-98604F324ABF", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.0.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "E93A7967-9A04-424A-BDDB-A2B8289B9AC4", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.0.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "8F75C9FF-6F95-4F6A-B683-FE2BEDE3AD10", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.0.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "68226156-42ED-4F0E-93E1-02DD57E582B6", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "FB2C4E1E-6B90-4DCC-BC09-7D19FBA65C3F", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "A4EB385E-28B5-4259-9431-99E1F32D61B7", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "58C0FF1B-6188-4181-A139-1806328762BD", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "121EACD3-D5E3-4691-8024-95996865BB65", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "136D6508-660E-410D-829A-7DD452BF8819", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "74B23D17-7356-4D37-8C73-E87896D1335B", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "D5BA542E-4667-4D9E-BDAE-FED6CA63F99D", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "83C8E7EC-0D4C-40E2-9EE1-4AB5F03464D4", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "81A8A6CB-D236-4AB3-8476-C2D34DB7EF31", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "599833A2-CBE9-479B-8A6E-AF79C5EED1DB", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "B870B3B7-E8DC-45A2-8FA4-657D005D00E3", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "707296C4-153C-4ACF-B91A-AB5FA42260CC", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "905722CB-4B6C-4849-88CD-22E972432E36", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.7.1:*:*:*:*:*:*:*", "matchCriteriaId": "5C1C39FA-EF1A-4F2B-87A0-A00BAE73C6A7", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.7.2:*:*:*:*:*:*:*", "matchCriteriaId": "677D1211-0B07-47B9-AB7A-E820E2B29561", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "84202BAF-29E1-472B-B11F-B73F6A8891CF", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.8.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "FFC7120D-E6A0-4801-A1CC-3E143896EE72", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.8.1:*:*:*:*:*:*:*", "matchCriteriaId": "BAF2A83D-D9AE-441D-8D4E-335BF9D28A63", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.8.2:*:*:*:*:*:*:*", "matchCriteriaId": "7F5C1479-A540-4B7D-B00C-BD35EEC83BB4", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "AC12556C-5E82-47D7-87E5-FBDC01A920DD", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.9.1:*:*:*:*:*:*:*", "matchCriteriaId": "461C1D2D-C4C1-4FF8-8231-38A2505F3523", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.10.0:*:*:*:*:*:*:*", "matchCriteriaId": "66595711-8573-4A9B-A8FE-4943E3097AA8", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.10.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "5D1FE3D4-A0B9-475A-9B89-B0222283A6A9", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.11.0:*:*:*:*:*:*:*", "matchCriteriaId": "9670B5AC-CBD1-484C-90F8-69B1A60B6054", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.11.1:*:*:*:*:*:*:*", "matchCriteriaId": "EE5794B6-246C-415E-8E20-56447F152488", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.11.2:*:*:*:*:*:*:*", "matchCriteriaId": "E726CA39-A763-4422-B59E-E9E12518EA4D", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.12.0:*:*:*:*:*:*:*", "matchCriteriaId": "206F1DC9-9E8F-4497-A354-4A14711993DC", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.12.1:*:*:*:*:*:*:*", "matchCriteriaId": "8D428364-E2AD-4BC6-9329-71793BC0EB61", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.12.2:*:*:*:*:*:*:*", "matchCriteriaId": "08963910-E0BD-4487-B669-60E0BFA79863", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:13.13.0:*:*:*:*:*:*:*", "matchCriteriaId": "F3BD16A9-24BC-4FC1-81BA-A6D1FEF38D35", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:14.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "5D413741-BDB7-496D-A01B-75E2A98FDB5B", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:14.0.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "29130F7F-DE00-43E1-A4A6-8F1F95D5CB19", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:14.0.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "25E94EC0-F577-4B2B-8B11-DC76278CDD42", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:14.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "101AD474-9B89-483D-84E8-08012677C55C", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:14.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "D57E41F6-C2CF-4183-A78A-9531A88FB65D", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:14.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "FB1F9BB8-F951-427E-B770-69C2ACEBDB28", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:14.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "7C4CE405-E923-4C9C-849A-D1031C4DB493", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:14.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "04ECDFF1-9718-4FAE-B45B-4F8CCA82829E", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:14.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "D2C4DA60-5701-4BD0-B2F9-D93B9E64111F", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:14.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "0B12834D-2AF1-4AD1-AB23-859CAA5D3210", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:14.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "E39BAA74-50A8-4087-8FF8-7C5922121319", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:digium:certified_asterisk:11.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "4F596E34-529A-41AD-AD51-C1D7EEE0FFF0", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "EC1BE0BB-A469-4DB6-88CF-80A065329C65", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4EA68726-87EF-490F-BBB8-A321E6C7A16D", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "1C8B3572-D6F6-45BD-9BE4-D532F9BF134E", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.1.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "7738E036-DACC-42EE-B417-CB083319B0A0", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.1.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "A6847720-D556-49D7-BD7F-E0559C6F5780", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.1.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "BA81D724-584B-4863-B270-869C415DB5BE", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "C0344FE7-952A-4BC5-A31F-F2C5EABDB5FC", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.2.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "00F26342-110F-4163-AD11-98AA3B71D299", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.2.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "8652FA73-2F02-401C-890F-0544276294D3", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "CF76131B-DF2C-4C6A-8E6B-1319D231402D", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.3.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "9AB8C209-694F-41BF-9CF2-D68D4E58A43C", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.3.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "6438A881-C806-4CC1-9828-C34BBB0FF332", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "2704EED6-C72D-427D-AD37-EBC4042CDD76", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.4.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "AF835684-26C6-4734-B586-D5DB4DF33072", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.4.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4EB76BC0-2B72-495E-80FC-C6B194648A91", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.4.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "9F1BC546-92E0-4285-8C18-37705F44B94E", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "9D50F0DF-54D3-4883-ADA2-DDB79F786182", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.5.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "0838BEC6-680A-4695-BD1B-309290F16A3B", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.5.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "82F78D49-ED8C-43FF-AE6D-713E90F1A1BE", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.6:cert1:*:*:*:*:*:*", "matchCriteriaId": "322694EF-B086-4BE7-A9F0-41D3A9C245FF", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.6:cert1:*:*:lts:*:*:*", "matchCriteriaId": "6AD7C9B3-D029-4E05-8E80-3ADA904FAC1C", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.6:cert1_rc1:*:*:*:*:*:*", "matchCriteriaId": "781AC882-80DD-4176-8E4F-220343B15F68", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.6:cert1_rc2:*:*:*:*:*:*", "matchCriteriaId": "770CCEEA-B121-454B-BD36-3FC1B262998A", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.6:cert10:*:*:lts:*:*:*", "matchCriteriaId": "BB47EA31-CF9D-4752-804B-7804151EC87C", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.6:cert11:*:*:lts:*:*:*", "matchCriteriaId": "A1C9B744-1745-4E9D-A2DE-4659295508D2", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.6:cert12:*:*:lts:*:*:*", "matchCriteriaId": "BFFD88AD-C82E-4C5C-9C4F-8A49176E3E52", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.6:cert13:*:*:lts:*:*:*", "matchCriteriaId": "6797C78B-BB9A-46B4-8F0B-492FB1988BB2", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.6:cert14:*:*:lts:*:*:*", "matchCriteriaId": "10A38D53-6C8E-493E-8207-F4CF7D754A5D", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.6:cert15:*:*:lts:*:*:*", "matchCriteriaId": "4CC0C753-9179-4C71-AFD8-C4601D8C865A", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.6:cert2:*:*:*:*:*:*", "matchCriteriaId": "013B1940-C45D-4FE2-8B49-D92B8F1A9048", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.6:cert2:*:*:lts:*:*:*", "matchCriteriaId": "CE71221B-4D55-4643-B6D1-307B2CF41F98", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.6:cert3:*:*:*:*:*:*", "matchCriteriaId": "A98B11B5-B8E2-4903-B4F7-3AC23751AE8F", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.6:cert3:*:*:lts:*:*:*", "matchCriteriaId": "88124275-9BEB-4D53-9E4D-1AC8C52F2D0F", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.6:cert4:*:*:lts:*:*:*", "matchCriteriaId": "4F3CEFEF-72B6-4B58-81FE-01BCEEFB3013", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.6:cert5:*:*:lts:*:*:*", "matchCriteriaId": "AA637187-0EAE-4756-AD72-A0B2FABCA070", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.6:cert6:*:*:lts:*:*:*", "matchCriteriaId": "6DAF6784-0B31-4104-9D85-473D5AFAB785", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.6:cert7:*:*:lts:*:*:*", "matchCriteriaId": "77B06B83-D62C-4A0E-BE94-83C9A02CE55A", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.6:cert8:*:*:lts:*:*:*", "matchCriteriaId": "CAD17809-CBB1-4E41-99C9-20FE56853563", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.6:cert9:*:*:lts:*:*:*", "matchCriteriaId": "066453F2-A77F-4E82-8C91-AC17FAA21A89", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.6.0:*:*:*:lts:*:*:*", "matchCriteriaId": "D6EE9895-FB94-451D-8701-8C0DD8F5BED0", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.6.0:-:*:*:*:*:*:*", "matchCriteriaId": "CCDDF5C2-9B45-4811-90F6-984EF4B220CF", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.6.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "56849E34-B192-46A8-A517-C7C184A901B4", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:11.6.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4610D544-156F-4E9A-BC46-9E0FF8D5D641", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Asterisk Open Source 11.x before 11.25.1, 13.x before 13.13.1, and 14.x before 14.2.1 and Certified Asterisk 11.x before 11.6-cert16 and 13.x before 13.8-cert4. The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace. This means that headers such as Contact\\x01: will be seen as a valid Contact header. This mostly does not pose a problem until Asterisk is placed in tandem with an authenticating SIP proxy. In such a case, a crafty combination of valid and invalid To headers can cause a proxy to allow an INVITE request into Asterisk without authentication since it believes the request is an in-dialog request. However, because of the bug described above, the request will look like an out-of-dialog request to Asterisk. Asterisk will then process the request as a new call. The result is that Asterisk can process calls from unvetted sources without any authentication. If you do not use a proxy for authentication, then this issue does not affect you. If your proxy is dialog-aware (meaning that the proxy keeps track of what dialogs are currently valid), then this issue does not affect you. If you use chan_pjsip instead of chan_sip, then this issue does not affect you."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Asterisk Open Source 11.x en versiones anteriores a 11.25.1, 13.x en versiones anteriores a 13.13.1 y 14.x en versiones anteriores a 14.2.1 y Certified Asterisk 11.x en versiones anteriores a 11.6-cert16 y 13.x en versiones anteriores a 13.8-cert4. El controlador de canal chan_sip tiene una definici\u00f3n liberal de espacios en blanco cuando intenta quitar al contenido entre un nombre de encabezado SIP y un car\u00e1cter de dos puntos. En lugar de seguir la RFC 3261 y quitar s\u00f3lo espacios y pesta\u00f1as horizontales, Asterisk trata cualquier car\u00e1cter ASCII no imprimible como si fuera un espacio en blanco. Esto significa que los encabezados tal como Contact\\x01: se ver\u00e1n como un encabezado de Contact v\u00e1lido. Esto principalmente no plantea un problema hasta que Asterisk se coloca en t\u00e1ndem con un proxy SIP de autenticaci\u00f3n. En este caso, una combinaci\u00f3n h\u00e1bil de encabezados v\u00e1lidos y no v\u00e1lidos puede provocar que un proxy permita una petici\u00f3n INVITE en Asterisk sin autenticaci\u00f3n ya que cree que la solicitud es una petici\u00f3n de dialogo de entrada. Sin embargo, debido al error descrito anteriormente, la petici\u00f3n se ver\u00e1 como una solicitud fuera de di\u00e1logo para Asterisk. Asterisk procesara la solicitud como una nueva llamada. El resultado es que Asterisk pueda procesar llamadas desde fuentes de fuentes no examinadas sin autenticaci\u00f3n. Si no utiliza un proxy para la autenticaci\u00f3n, entonces este problema no le afecta. Si su proxy tiene conocimiento de di\u00e1logo (lo que siginifica que el proxy realiza un seguimiento de los cuadros de di\u00e1logos que son actualmente v\u00e1lidos), entonces este problema no le afecta. Si utiliza chan_pjsip en lugar de chan_sip, entonces este problema no le afecta."}], "id": "CVE-2016-9938", "lastModified": "2017-07-27T01:29:07.290", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-12-12T21:59:01.617", "references": [{"source": "cve@mitre.org", "tags": ["Mitigation", "Vendor Advisory"], "url": "http://downloads.asterisk.org/pub/security/AST-2016-009.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/94789"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id/1037408"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}