An issue was discovered in Asterisk Open Source 11.x before 11.25.1, 13.x before 13.13.1, and 14.x before 14.2.1 and Certified Asterisk 11.x before 11.6-cert16 and 13.x before 13.8-cert4. The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace. This means that headers such as Contact\x01: will be seen as a valid Contact header. This mostly does not pose a problem until Asterisk is placed in tandem with an authenticating SIP proxy. In such a case, a crafty combination of valid and invalid To headers can cause a proxy to allow an INVITE request into Asterisk without authentication since it believes the request is an in-dialog request. However, because of the bug described above, the request will look like an out-of-dialog request to Asterisk. Asterisk will then process the request as a new call. The result is that Asterisk can process calls from unvetted sources without any authentication. If you do not use a proxy for authentication, then this issue does not affect you. If your proxy is dialog-aware (meaning that the proxy keeps track of what dialogs are currently valid), then this issue does not affect you. If you use chan_pjsip instead of chan_sip, then this issue does not affect you.

• http://downloads.asterisk.org/pub/security/AST-2016-009.html
• http://www.securityfocus.com/bid/94789
• http://www.securitytracker.com/id/1037408
• http://downloads.asterisk.org/pub/security/AST-2016-009.html
• http://www.securityfocus.com/bid/94789
• http://www.securitytracker.com/id/1037408

• Digium » Asterisk » Version: 11.0.0
  cpe:2.3:a:digium:asterisk:11.0.0
• Digium » Asterisk » Version: 11.0.1
  cpe:2.3:a:digium:asterisk:11.0.1
• Digium » Asterisk » Version: 11.0.2
  cpe:2.3:a:digium:asterisk:11.0.2
• Digium » Asterisk » Version: 11.1.0
  cpe:2.3:a:digium:asterisk:11.1.0
• Digium » Asterisk » Version: 11.1.1
  cpe:2.3:a:digium:asterisk:11.1.1
• Digium » Asterisk » Version: 11.1.2
  cpe:2.3:a:digium:asterisk:11.1.2
• Digium » Asterisk » Version: 11.10.0
  cpe:2.3:a:digium:asterisk:11.10.0
• Digium » Asterisk » Version: 11.10.1
  cpe:2.3:a:digium:asterisk:11.10.1
• Digium » Asterisk » Version: 11.10.2
  cpe:2.3:a:digium:asterisk:11.10.2
• Digium » Asterisk » Version: 11.11.0
  cpe:2.3:a:digium:asterisk:11.11.0
• Digium » Asterisk » Version: 11.12.0
  cpe:2.3:a:digium:asterisk:11.12.0
• Digium » Asterisk » Version: 11.12.1
  cpe:2.3:a:digium:asterisk:11.12.1
• Digium » Asterisk » Version: 11.13.0
  cpe:2.3:a:digium:asterisk:11.13.0
• Digium » Asterisk » Version: 11.13.1
  cpe:2.3:a:digium:asterisk:11.13.1
• Digium » Asterisk » Version: 11.14.0
  cpe:2.3:a:digium:asterisk:11.14.0
• Digium » Asterisk » Version: 11.14.1
  cpe:2.3:a:digium:asterisk:11.14.1
• Digium » Asterisk » Version: 11.14.2
  cpe:2.3:a:digium:asterisk:11.14.2
• Digium » Asterisk » Version: 11.15.0
  cpe:2.3:a:digium:asterisk:11.15.0
• Digium » Asterisk » Version: 11.15.1
  cpe:2.3:a:digium:asterisk:11.15.1
• Digium » Asterisk » Version: 11.16.0
  cpe:2.3:a:digium:asterisk:11.16.0
• Digium » Asterisk » Version: 11.17.0
  cpe:2.3:a:digium:asterisk:11.17.0
• Digium » Asterisk » Version: 11.17.1
  cpe:2.3:a:digium:asterisk:11.17.1
• Digium » Asterisk » Version: 11.18.0
  cpe:2.3:a:digium:asterisk:11.18.0
• Digium » Asterisk » Version: 11.19.0
  cpe:2.3:a:digium:asterisk:11.19.0
• Digium » Asterisk » Version: 11.2.0
  cpe:2.3:a:digium:asterisk:11.2.0
• Digium » Asterisk » Version: 11.2.1
  cpe:2.3:a:digium:asterisk:11.2.1
• Digium » Asterisk » Version: 11.2.2
  cpe:2.3:a:digium:asterisk:11.2.2
• Digium » Asterisk » Version: 11.20.0
  cpe:2.3:a:digium:asterisk:11.20.0
• Digium » Asterisk » Version: 11.21.0
  cpe:2.3:a:digium:asterisk:11.21.0
• Digium » Asterisk » Version: 11.21.1
  cpe:2.3:a:digium:asterisk:11.21.1
• Digium » Asterisk » Version: 11.21.2
  cpe:2.3:a:digium:asterisk:11.21.2
• Digium » Asterisk » Version: 11.22.0
  cpe:2.3:a:digium:asterisk:11.22.0
• Digium » Asterisk » Version: 11.23.0
  cpe:2.3:a:digium:asterisk:11.23.0
• Digium » Asterisk » Version: 11.23.1
  cpe:2.3:a:digium:asterisk:11.23.1
• Digium » Asterisk » Version: 11.24.0
  cpe:2.3:a:digium:asterisk:11.24.0
• Digium » Asterisk » Version: 11.24.1
  cpe:2.3:a:digium:asterisk:11.24.1
• Digium » Asterisk » Version: 11.25.0
  cpe:2.3:a:digium:asterisk:11.25.0
• Digium » Asterisk » Version: 11.3.0
  cpe:2.3:a:digium:asterisk:11.3.0
• Digium » Asterisk » Version: 11.4.0
  cpe:2.3:a:digium:asterisk:11.4.0
• Digium » Asterisk » Version: 11.5.0
  cpe:2.3:a:digium:asterisk:11.5.0
• Digium » Asterisk » Version: 11.5.1
  cpe:2.3:a:digium:asterisk:11.5.1
• Digium » Asterisk » Version: 11.6.0
  cpe:2.3:a:digium:asterisk:11.6.0
• Digium » Asterisk » Version: 11.6.1
  cpe:2.3:a:digium:asterisk:11.6.1
• Digium » Asterisk » Version: 11.7.0
  cpe:2.3:a:digium:asterisk:11.7.0
• Digium » Asterisk » Version: 11.8.0
  cpe:2.3:a:digium:asterisk:11.8.0
• Digium » Asterisk » Version: 11.8.1
  cpe:2.3:a:digium:asterisk:11.8.1
• Digium » Asterisk » Version: 11.9.0
  cpe:2.3:a:digium:asterisk:11.9.0
• Digium » Asterisk » Version: 13.0.0
  cpe:2.3:a:digium:asterisk:13.0.0
• Digium » Asterisk » Version: 13.0.1
  cpe:2.3:a:digium:asterisk:13.0.1
• Digium » Asterisk » Version: 13.0.2
  cpe:2.3:a:digium:asterisk:13.0.2
• Digium » Asterisk » Version: 13.1.0
  cpe:2.3:a:digium:asterisk:13.1.0
• Digium » Asterisk » Version: 13.1.1
  cpe:2.3:a:digium:asterisk:13.1.1
• Digium » Asterisk » Version: 13.10.0
  cpe:2.3:a:digium:asterisk:13.10.0
• Digium » Asterisk » Version: 13.11.0
  cpe:2.3:a:digium:asterisk:13.11.0
• Digium » Asterisk » Version: 13.11.1
  cpe:2.3:a:digium:asterisk:13.11.1
• Digium » Asterisk » Version: 13.11.2
  cpe:2.3:a:digium:asterisk:13.11.2
• Digium » Asterisk » Version: 13.12.0
  cpe:2.3:a:digium:asterisk:13.12.0
• Digium » Asterisk » Version: 13.12.1
  cpe:2.3:a:digium:asterisk:13.12.1
• Digium » Asterisk » Version: 13.12.2
  cpe:2.3:a:digium:asterisk:13.12.2
• Digium » Asterisk » Version: 13.13.0
  cpe:2.3:a:digium:asterisk:13.13.0
• Digium » Asterisk » Version: 13.2.0
  cpe:2.3:a:digium:asterisk:13.2.0
• Digium » Asterisk » Version: 13.2.1
  cpe:2.3:a:digium:asterisk:13.2.1
• Digium » Asterisk » Version: 13.3.0
  cpe:2.3:a:digium:asterisk:13.3.0
• Digium » Asterisk » Version: 13.3.1
  cpe:2.3:a:digium:asterisk:13.3.1
• Digium » Asterisk » Version: 13.3.2
  cpe:2.3:a:digium:asterisk:13.3.2
• Digium » Asterisk » Version: 13.4.0
  cpe:2.3:a:digium:asterisk:13.4.0
• Digium » Asterisk » Version: 13.5.0
  cpe:2.3:a:digium:asterisk:13.5.0
• Digium » Asterisk » Version: 13.6.0
  cpe:2.3:a:digium:asterisk:13.6.0
• Digium » Asterisk » Version: 13.7.0
  cpe:2.3:a:digium:asterisk:13.7.0
• Digium » Asterisk » Version: 13.7.1
  cpe:2.3:a:digium:asterisk:13.7.1
• Digium » Asterisk » Version: 13.7.2
  cpe:2.3:a:digium:asterisk:13.7.2
• Digium » Asterisk » Version: 13.8.0
  cpe:2.3:a:digium:asterisk:13.8.0
• Digium » Asterisk » Version: 13.8.1
  cpe:2.3:a:digium:asterisk:13.8.1
• Digium » Asterisk » Version: 13.8.2
  cpe:2.3:a:digium:asterisk:13.8.2
• Digium » Asterisk » Version: 13.9.0
  cpe:2.3:a:digium:asterisk:13.9.0
• Digium » Asterisk » Version: 13.9.1
  cpe:2.3:a:digium:asterisk:13.9.1
• Digium » Asterisk » Version: 14.0.0
  cpe:2.3:a:digium:asterisk:14.0.0
• Digium » Asterisk » Version: 14.0.1
  cpe:2.3:a:digium:asterisk:14.0.1
• Digium » Asterisk » Version: 14.0.2
  cpe:2.3:a:digium:asterisk:14.0.2
• Digium » Asterisk » Version: 14.1.0
  cpe:2.3:a:digium:asterisk:14.1.0
• Digium » Asterisk » Version: 14.1.1
  cpe:2.3:a:digium:asterisk:14.1.1
• Digium » Asterisk » Version: 14.1.2
  cpe:2.3:a:digium:asterisk:14.1.2
• Digium » Asterisk » Version: 14.2.0
  cpe:2.3:a:digium:asterisk:14.2.0
• Digium » Certified Asterisk » Version: 11.0.0
  cpe:2.3:a:digium:certified_asterisk:11.0.0
• Digium » Certified Asterisk » Version: 11.1.0
  cpe:2.3:a:digium:certified_asterisk:11.1.0
• Digium » Certified Asterisk » Version: 11.2.0
  cpe:2.3:a:digium:certified_asterisk:11.2.0
• Digium » Certified Asterisk » Version: 11.3.0
  cpe:2.3:a:digium:certified_asterisk:11.3.0
• Digium » Certified Asterisk » Version: 11.4.0
  cpe:2.3:a:digium:certified_asterisk:11.4.0
• Digium » Certified Asterisk » Version: 11.5.0
  cpe:2.3:a:digium:certified_asterisk:11.5.0
• Digium » Certified Asterisk » Version: 11.6
  cpe:2.3:a:digium:certified_asterisk:11.6
• Digium » Certified Asterisk » Version: 11.6.0
  cpe:2.3:a:digium:certified_asterisk:11.6.0