Medium severity5.3NVD Advisory· Published Dec 12, 2016· Updated May 6, 2026

CVE-2016-9938

Description

An issue was discovered in Asterisk Open Source 11.x before 11.25.1, 13.x before 13.13.1, and 14.x before 14.2.1 and Certified Asterisk 11.x before 11.6-cert16 and 13.x before 13.8-cert4. The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace. This means that headers such as Contact\x01: will be seen as a valid Contact header. This mostly does not pose a problem until Asterisk is placed in tandem with an authenticating SIP proxy. In such a case, a crafty combination of valid and invalid To headers can cause a proxy to allow an INVITE request into Asterisk without authentication since it believes the request is an in-dialog request. However, because of the bug described above, the request will look like an out-of-dialog request to Asterisk. Asterisk will then process the request as a new call. The result is that Asterisk can process calls from unvetted sources without any authentication. If you do not use a proxy for authentication, then this issue does not affect you. If your proxy is dialog-aware (meaning that the proxy keeps track of what dialogs are currently valid), then this issue does not affect you. If you use chan_pjsip instead of chan_sip, then this issue does not affect you.

Affected products

146

Digium/Asterisk102 versions
cpe:2.3:a:digium:asterisk:11.0.0:*:*:*:*:*:*:*+ 101 more
- cpe:2.3:a:digium:asterisk:11.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.0.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.0.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.1.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.1.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.22.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.22.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.23.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.23.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.23.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.24.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.24.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.25.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.0.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.0.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.0.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.13.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.14.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.14.2:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.15.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.15.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.16.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.17.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.17.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.18.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.19.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.20.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.21.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.21.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.21.2:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.8.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.10.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.12.2:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:13.13.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:14.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:14.0.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:14.0.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:14.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:14.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:14.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:14.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:14.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:14.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:14.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:14.2.0:*:*:*:*:*:*:*
Digium/Certified Asterisk44 versions
cpe:2.3:a:digium:certified_asterisk:11.4.0:rc3:*:*:*:*:*:*+ 43 more
- cpe:2.3:a:digium:certified_asterisk:11.4.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.5.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.5.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.6:cert1:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.6:cert1:*:*:lts:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.6:cert1_rc1:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.6:cert1_rc2:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.6:cert10:*:*:lts:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.6:cert11:*:*:lts:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.6:cert12:*:*:lts:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.6:cert13:*:*:lts:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.6:cert14:*:*:lts:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.6:cert15:*:*:lts:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.6:cert2:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.6:cert2:*:*:lts:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.6:cert3:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.6.0:-:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.6.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.6.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.1.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.1.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.1.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.3.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.3.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.4.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.4.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.6:cert3:*:*:lts:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.6:cert4:*:*:lts:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.6:cert5:*:*:lts:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.6:cert6:*:*:lts:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.6:cert7:*:*:lts:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.6:cert8:*:*:lts:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.6:cert9:*:*:lts:*:*:*
- cpe:2.3:a:digium:certified_asterisk:11.6.0:*:*:*:lts:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

downloads.asterisk.org/pub/security/AST-2016-009.htmlnvdMitigationVendor Advisory
www.securityfocus.com/bid/94789nvdThird Party AdvisoryVDB Entry
www.securitytracker.com/id/1037408nvd

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000