CVE-2021-32558

high-risk
Published 2021-07-30

An issue was discovered in Sangoma Asterisk 13.x before 13.38.3, 16.x before 16.19.1, 17.x before 17.9.4, and 18.x before 18.5.1, and Certified Asterisk before 16.8-cert10. If the IAX2 channel driver receives a packet that contains an unsupported media format, a crash can occur.

Do I need to act?

~
2.9% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (20)

Affected Vendors

Debian Digium

References (12)

Patch http://packetstormsecurity.com/files/163639/Asterisk-Project-Security-Advisory-A...
Mailing List http://seclists.org/fulldisclosure/2021/Jul/49
Patch https://downloads.asterisk.org/pub/security/AST-2021-008.html
Exploit https://issues.asterisk.org/jira/browse/ASTERISK-29392
Mailing List https://lists.debian.org/debian-lts-announce/2021/08/msg00005.html
Third Party Advisory https://www.debian.org/security/2021/dsa-4999
Patch http://packetstormsecurity.com/files/163639/Asterisk-Project-Security-Advisory-A...
Mailing List http://seclists.org/fulldisclosure/2021/Jul/49
Patch https://downloads.asterisk.org/pub/security/AST-2021-008.html
Exploit https://issues.asterisk.org/jira/browse/ASTERISK-29392
Mailing List https://lists.debian.org/debian-lts-announce/2021/08/msg00005.html
Third Party Advisory https://www.debian.org/security/2021/dsa-4999
52
/ 100
high-risk
Severity 26/34 · High
Exploitability 6/34 · Minimal
Exposure 20/34 · Moderate