CVE-CVE-2016-9938 | MEDIUM Severity | CVEDatabase.com

Description

An issue was discovered in Asterisk Open Source 11.x before 11.25.1, 13.x before 13.13.1, and 14.x before 14.2.1 and Certified Asterisk 11.x before 11.6-cert16 and 13.x before 13.8-cert4. The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace. This means that headers such as Contact\x01: will be seen as a valid Contact header. This mostly does not pose a problem until Asterisk is placed in tandem with an authenticating SIP proxy. In such a case, a crafty combination of valid and invalid To headers can cause a proxy to allow an INVITE request into Asterisk without authentication since it believes the request is an in-dialog request. However, because of the bug described above, the request will look like an out-of-dialog request to Asterisk. Asterisk will then process the request as a new call. The result is that Asterisk can process calls from unvetted sources without any authentication. If you do not use a proxy for authentication, then this issue does not affect you. If your proxy is dialog-aware (meaning that the proxy keeps track of what dialogs are currently valid), then this issue does not affect you. If you use chan_pjsip instead of chan_sip, then this issue does not affect you.

CVSS Metrics

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector: network
Complexity: low
Privileges: none
User Action: none
Scope: unchanged
Confidentiality: none
Integrity: low
Availability: none
Weaknesses: CWE-285

Metadata

Primary Vendor: DIGIUM
Published: 12/12/2016
Last Modified: 4/12/2025
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

digium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asteriskdigium : certified_asterisk

AI-Powered Remediation

Generate remediation guidance or a C-suite brief for this vulnerability.

Executive Intelligence Brief

View on NIST NVD