CVE-2016-9938
CVE-2016-9938 is a medium-severity vulnerability in Digium Asterisk with a CVSS 3.x base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-285.
Key facts
- Severity: Medium (CVSS 3.x base score 5.3)
- CVSS v2: 5.0
- EPSS exploit prediction: 3% (88th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-285
- Affected product: Digium Asterisk
- Published:
- Last modified:
Description
An issue was discovered in Asterisk Open Source 11.x before 11.25.1, 13.x before 13.13.1, and 14.x before 14.2.1 and Certified Asterisk 11.x before 11.6-cert16 and 13.x before 13.8-cert4. The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace. This means that headers such as Contact\x01: will be seen as a valid Contact header. This mostly does not pose a problem until Asterisk is placed in tandem with an authenticating SIP proxy. In such a case, a crafty combination of valid and invalid To headers can cause a proxy to allow an INVITE request into Asterisk without authentication since it believes the request is an in-dialog request. However, because of the bug described above, the request will look like an out-of-dialog request to Asterisk. Asterisk will then process the request as a new call. The result is that Asterisk can process calls from unvetted sources without any authentication. If you do not use a proxy for authentication, then this issue does not affect you. If your proxy is dialog-aware (meaning that the proxy keeps track of what dialogs are currently valid), then this issue does not affect you. If you use chan_pjsip instead of chan_sip, then this issue does not affect you.
Frequently asked questions
- What is CVE-2016-9938?
- An issue was discovered in Asterisk Open Source 11.x before 11.25.1, 13.x before 13.13.1, and 14.x before 14.2.1 and Certified Asterisk 11.x before 11.6-cert16 and 13.x before 13.8-cert4. The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace. This means that headers such as Contact\x01: will be seen as a valid Contact header. This mostly does not pose a problem until Asterisk is placed in tandem with an authenticating SIP proxy. In such a case, a crafty combination of valid and invalid To headers can cause a proxy to allow an INVITE request into Asterisk without authentication since it believes the request is an in-dialog request. However, because of the bug described above, the request will look like an out-of-dialog request to Asterisk. Asterisk will then process the request as a new call. The result is that Asterisk can process calls from unvetted sources without any authentication. If you do not use a proxy for authentication, then this issue does not affect you. If your proxy is dialog-aware (meaning that the proxy keeps track of what dialogs are currently valid), then this issue does not affect you. If you use chan_pjsip instead of chan_sip, then this issue does not affect you.
- How severe is CVE-2016-9938?
- CVE-2016-9938 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity low, and availability none.
- Is CVE-2016-9938 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 3% (88th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2016-9938?
- CVE-2016-9938 primarily affects Digium Asterisk. In total, 146 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2016-9938?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2016-9938 published?
- CVE-2016-9938 was published on 2016-12-12 and last updated on 2026-06-17.
References
- http://downloads.asterisk.org/pub/security/AST-2016-009.html
- http://www.securityfocus.com/bid/94789
- http://www.securitytracker.com/id/1037408
Affected products (146)
- cpe:2.3:a:digium:asterisk:11.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.0.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.0.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.1.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.1.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.13.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.14.1:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.14.2:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.15.0:*:*:*:*:*:*:*
- cpe:2.3:a:digium:asterisk:11.15.1:*:*:*:*:*:*:*
More vulnerabilities in Digium Asterisk
- CVE-2022-26651 — Critical (CVSS 9.8): An issue was discovered in Asterisk through 19.x and Certified Asterisk through 16.8-cert13. The func_odbc module…
- CVE-2017-14100 — Critical (CVSS 9.8): In Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before…
- CVE-2022-26499 — Critical (CVSS 9.1): An SSRF issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it's possible to send arbitrary requests…
- CVE-2014-8418 — Critical (CVSS 9.0): The DB dialplan function in Asterisk Open Source 1.8.x before 1.8.32, 11.x before 11.1.4.1, 12.x before 12.7.1, and…
- CVE-2011-1599 — Critical (CVSS 9.0): manager.c in the Manager Interface in Asterisk Open Source 1.4.x before 1.4.40.1, 1.6.1.x before 1.6.1.25, 1.6.2.x…
- CVE-2019-18610 — High (CVSS 8.8): An issue was discovered in manager.c in Sangoma Asterisk through 13.x, 16.x, 17.x and Certified Asterisk 13.21 through…
All CVEs affecting Digium Asterisk →
Other CWE-285 (Improper Authorization) vulnerabilities
- CVE-2025-65041 — Critical (CVSS 10.0): Improper authorization in Microsoft Partner Center allows an unauthorized attacker to elevate privileges over a network.
- CVE-2023-33189 — Critical (CVSS 10.0): Pomerium is an identity and context-aware access proxy. With specially crafted requests, incorrect authorization…
- CVE-2022-2595 — Critical (CVSS 10.0): Improper Authorization in GitHub repository kromitgmbh/titra prior to 0.79.1.
- CVE-2021-28799 — Critical (CVSS 10.0): An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If…
- CVE-2026-34048 — Critical (CVSS 9.9): Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to…
- CVE-2026-5412 — Critical (CVSS 9.9): In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated…
Browse all CWE-285 (Improper Authorization) vulnerabilities →