cpe:/a:digium:asterisk:11.0.0 cpe:/a:digium:asterisk:11.0.0:beta1 cpe:/a:digium:asterisk:11.0.0:beta2 cpe:/a:digium:asterisk:11.0.0:rc1 cpe:/a:digium:asterisk:11.0.0:rc2 cpe:/a:digium:asterisk:11.0.1 cpe:/a:digium:asterisk:11.0.2 cpe:/a:digium:asterisk:11.1.0 cpe:/a:digium:asterisk:11.1.0:rc1 cpe:/a:digium:asterisk:11.1.0:rc3 cpe:/a:digium:asterisk:11.1.1 cpe:/a:digium:asterisk:11.1.2 cpe:/a:digium:asterisk:11.2.0 cpe:/a:digium:asterisk:11.2.0:rc1 cpe:/a:digium:asterisk:11.2.0:rc2 cpe:/a:digium:asterisk:11.2.1 cpe:/a:digium:asterisk:11.2.2 cpe:/a:digium:asterisk:11.3.0 cpe:/a:digium:asterisk:11.4.0 cpe:/a:digium:asterisk:11.5.0 cpe:/a:digium:asterisk:11.5.1 cpe:/a:digium:asterisk:11.6.0 cpe:/a:digium:asterisk:11.6.1 cpe:/a:digium:asterisk:11.7.0 cpe:/a:digium:asterisk:11.8.0 cpe:/a:digium:asterisk:11.8.1 cpe:/a:digium:asterisk:11.9.0 cpe:/a:digium:asterisk:11.10.0 cpe:/a:digium:asterisk:11.10.1 cpe:/a:digium:asterisk:11.10.2 cpe:/a:digium:asterisk:11.11.0 cpe:/a:digium:asterisk:11.12.0 cpe:/a:digium:asterisk:11.12.1 cpe:/a:digium:asterisk:11.13.0 cpe:/a:digium:asterisk:11.13.1 cpe:/a:digium:asterisk:11.14.0 cpe:/a:digium:asterisk:11.14.1 cpe:/a:digium:asterisk:11.14.2 cpe:/a:digium:asterisk:11.15.0 cpe:/a:digium:asterisk:11.15.1 cpe:/a:digium:asterisk:11.16.0 cpe:/a:digium:asterisk:11.17.0 cpe:/a:digium:asterisk:11.17.1 cpe:/a:digium:asterisk:11.18.0 cpe:/a:digium:asterisk:11.19.0 cpe:/a:digium:asterisk:11.20.0 cpe:/a:digium:asterisk:11.21.0 cpe:/a:digium:asterisk:11.21.1 cpe:/a:digium:asterisk:11.21.2 cpe:/a:digium:asterisk:11.22.0 cpe:/a:digium:asterisk:11.22.0:rc1 cpe:/a:digium:asterisk:11.23.0 cpe:/a:digium:asterisk:11.23.0:rc1 cpe:/a:digium:asterisk:11.23.1 cpe:/a:digium:asterisk:11.24.0 cpe:/a:digium:asterisk:11.24.1 cpe:/a:digium:asterisk:11.25.0 cpe:/a:digium:asterisk:13.0.0 cpe:/a:digium:asterisk:13.0.0:beta1 cpe:/a:digium:asterisk:13.0.0:beta2 cpe:/a:digium:asterisk:13.0.0:beta3 cpe:/a:digium:asterisk:13.0.1 cpe:/a:digium:asterisk:13.0.2 cpe:/a:digium:asterisk:13.1.0 cpe:/a:digium:asterisk:13.1.1 cpe:/a:digium:asterisk:13.2.0 cpe:/a:digium:asterisk:13.2.1 cpe:/a:digium:asterisk:13.3.0 cpe:/a:digium:asterisk:13.3.1 cpe:/a:digium:asterisk:13.3.2 cpe:/a:digium:asterisk:13.4.0 cpe:/a:digium:asterisk:13.5.0 cpe:/a:digium:asterisk:13.6.0 cpe:/a:digium:asterisk:13.7.0 cpe:/a:digium:asterisk:13.7.1 cpe:/a:digium:asterisk:13.7.2 cpe:/a:digium:asterisk:13.8.0 cpe:/a:digium:asterisk:13.8.0:rc1 cpe:/a:digium:asterisk:13.8.1 cpe:/a:digium:asterisk:13.8.2 cpe:/a:digium:asterisk:13.9.0 cpe:/a:digium:asterisk:13.9.1 cpe:/a:digium:asterisk:13.10.0 cpe:/a:digium:asterisk:13.10.0:rc1 cpe:/a:digium:asterisk:13.11.0 cpe:/a:digium:asterisk:13.11.1 cpe:/a:digium:asterisk:13.11.2 cpe:/a:digium:asterisk:13.12.0 cpe:/a:digium:asterisk:13.12.1 cpe:/a:digium:asterisk:13.12.2 cpe:/a:digium:asterisk:13.13.0 cpe:/a:digium:asterisk:14.0.0 cpe:/a:digium:asterisk:14.0.0:beta1 cpe:/a:digium:asterisk:14.0.0:beta2 cpe:/a:digium:asterisk:14.0.0:rc1 cpe:/a:digium:asterisk:14.0.0:rc2 cpe:/a:digium:asterisk:14.0.1 cpe:/a:digium:asterisk:14.0.2 cpe:/a:digium:asterisk:14.1.0 cpe:/a:digium:asterisk:14.1.1 cpe:/a:digium:asterisk:14.1.2 cpe:/a:digium:asterisk:14.2.0 cpe:/a:digium:certified_asterisk:11.0.0 cpe:/a:digium:certified_asterisk:11.0.0:rc1 cpe:/a:digium:certified_asterisk:11.0.0:rc2 cpe:/a:digium:certified_asterisk:11.1.0 cpe:/a:digium:certified_asterisk:11.1.0:rc1 cpe:/a:digium:certified_asterisk:11.1.0:rc2 cpe:/a:digium:certified_asterisk:11.1.0:rc3 cpe:/a:digium:certified_asterisk:11.2.0 cpe:/a:digium:certified_asterisk:11.2.0:rc1 cpe:/a:digium:certified_asterisk:11.2.0:rc2 cpe:/a:digium:certified_asterisk:11.3.0 cpe:/a:digium:certified_asterisk:11.3.0:rc1 cpe:/a:digium:certified_asterisk:11.3.0:rc2 cpe:/a:digium:certified_asterisk:11.4.0 cpe:/a:digium:certified_asterisk:11.4.0:rc1 cpe:/a:digium:certified_asterisk:11.4.0:rc2 cpe:/a:digium:certified_asterisk:11.4.0:rc3 cpe:/a:digium:certified_asterisk:11.5.0 cpe:/a:digium:certified_asterisk:11.5.0:rc1 cpe:/a:digium:certified_asterisk:11.5.0:rc2 cpe:/a:digium:certified_asterisk:11.6:cert1 cpe:/a:digium:certified_asterisk:11.6:cert1:~~lts~~~ cpe:/a:digium:certified_asterisk:11.6:cert10:~~lts~~~ cpe:/a:digium:certified_asterisk:11.6:cert11:~~lts~~~ cpe:/a:digium:certified_asterisk:11.6:cert12:~~lts~~~ cpe:/a:digium:certified_asterisk:11.6:cert13:~~lts~~~ cpe:/a:digium:certified_asterisk:11.6:cert14:~~lts~~~ cpe:/a:digium:certified_asterisk:11.6:cert15:~~lts~~~ cpe:/a:digium:certified_asterisk:11.6:cert1_rc1 cpe:/a:digium:certified_asterisk:11.6:cert1_rc2 cpe:/a:digium:certified_asterisk:11.6:cert2 cpe:/a:digium:certified_asterisk:11.6:cert2:~~lts~~~ cpe:/a:digium:certified_asterisk:11.6:cert3 cpe:/a:digium:certified_asterisk:11.6:cert3:~~lts~~~ cpe:/a:digium:certified_asterisk:11.6:cert4:~~lts~~~ cpe:/a:digium:certified_asterisk:11.6:cert5:~~lts~~~ cpe:/a:digium:certified_asterisk:11.6:cert6:~~lts~~~ cpe:/a:digium:certified_asterisk:11.6:cert7:~~lts~~~ cpe:/a:digium:certified_asterisk:11.6:cert8:~~lts~~~ cpe:/a:digium:certified_asterisk:11.6:cert9:~~lts~~~ cpe:/a:digium:certified_asterisk:11.6.0::~~lts~~~ cpe:/a:digium:certified_asterisk:11.6.0:- cpe:/a:digium:certified_asterisk:11.6.0:rc1 cpe:/a:digium:certified_asterisk:11.6.0:rc2 CVE-2016-9938 2016-12-12T16:59:01.617-05:00 2017-07-26T21:29:07.290-04:00 5.0 NETWORK LOW NONE NONE PARTIAL NONE http://nvd.nist.gov 2017-01-03T14:52:57.457-05:00 SECTRACK 1037408 BID 94789 CONFIRM http://downloads.asterisk.org/pub/security/AST-2016-009.html An issue was discovered in Asterisk Open Source 11.x before 11.25.1, 13.x before 13.13.1, and 14.x before 14.2.1 and Certified Asterisk 11.x before 11.6-cert16 and 13.x before 13.8-cert4. The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace. This means that headers such as Contact\x01: will be seen as a valid Contact header. This mostly does not pose a problem until Asterisk is placed in tandem with an authenticating SIP proxy. In such a case, a crafty combination of valid and invalid To headers can cause a proxy to allow an INVITE request into Asterisk without authentication since it believes the request is an in-dialog request. However, because of the bug described above, the request will look like an out-of-dialog request to Asterisk. Asterisk will then process the request as a new call. The result is that Asterisk can process calls from unvetted sources without any authentication. If you do not use a proxy for authentication, then this issue does not affect you. If your proxy is dialog-aware (meaning that the proxy keeps track of what dialogs are currently valid), then this issue does not affect you. If you use chan_pjsip instead of chan_sip, then this issue does not affect you.