CVE-2009-0871 in Asterisk
Summary
by MITRE
The SIP channel driver in Asterisk Open Source 1.4.22, 1.4.23, and 1.4.23.1; 1.6.0 before 1.6.0.6; 1.6.1 before 1.6.1.0-rc2; and Asterisk Business Edition C.2.3, with the pedantic option enabled, allows remote authenticated users to cause a denial of service (crash) via a SIP INVITE request without any headers, which triggers a NULL pointer dereference in the (1) sip_uri_headers_cmp and (2) sip_uri_params_cmp functions.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/21/2025
The vulnerability described in CVE-2009-0871 represents a critical denial of service weakness within the SIP channel driver of Asterisk Open Source and Business Edition systems. This flaw specifically affects versions ranging from 1.4.22 through 1.4.23.1 and various 1.6.x releases prior to their respective security patches. The vulnerability manifests when the pedantic option is enabled within the SIP channel driver configuration, creating a scenario where legitimate authenticated users can exploit the system's handling of malformed SIP INVITE requests. The core issue stems from the system's inability to properly validate incoming SIP messages that lack essential header information, leading to a cascade of errors that ultimately result in system crash and service disruption.
The technical implementation of this vulnerability involves specific function calls within the SIP channel driver that process SIP URI headers and parameters. When a SIP INVITE request is received without any headers, the system attempts to process these malformed messages through the sip_uri_headers_cmp and sip_uri_params_cmp functions. These functions contain a NULL pointer dereference condition where the code assumes certain header structures exist and attempts to access memory locations that have not been properly initialized or allocated. This type of vulnerability falls under CWE-476 which specifically addresses NULL pointer dereference conditions in software implementations. The flaw demonstrates poor input validation and error handling practices within the Asterisk SIP processing pipeline, where the system fails to account for edge cases in SIP message formatting.
The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise the entire telephony infrastructure relying on affected Asterisk systems. Remote authenticated attackers can leverage this weakness to repeatedly crash the SIP channel driver, effectively rendering the telephony service unavailable to legitimate users. The attack requires only authentication to the system, making it particularly dangerous as it can be exploited by insiders or compromised accounts. This vulnerability directly maps to ATT&CK technique T1499.004 which covers network denial of service attacks, and more specifically to T1566.001 which encompasses credential access through social engineering or compromised accounts. The repeated nature of the crash means that even brief exploitation can lead to significant service degradation, potentially affecting business communications and emergency services that depend on reliable telephony infrastructure.
Mitigation strategies for this vulnerability should focus on immediate patch application to the affected Asterisk versions, with administrators prioritizing upgrades to versions 1.6.0.6, 1.6.1.0-rc2, and later releases that contain the necessary code fixes. The pedantic option should be carefully evaluated and potentially disabled if not essential for the system's operation, as this option inadvertently exposes the system to the null pointer dereference issue. Network-level protections including SIP message filtering and rate limiting can provide additional defense in depth, though these measures are secondary to the primary requirement of applying vendor patches. System administrators should also implement monitoring solutions that can detect unusual patterns of SIP INVITE processing failures, as these may indicate exploitation attempts. The vulnerability highlights the importance of proper input validation and defensive programming practices, particularly in telephony systems where reliability and availability are paramount for business operations and emergency communications services.