CVE-2021-46837: 
NixOS vulnerability analysis and mitigation

respjsipt38 in Sangoma Asterisk 16.x before 16.16.2, 17.x before 17.9.3, and 18.x before 18.2.2, and Certified Asterisk before 16.8-cert7, contains a vulnerability that allows an attacker to trigger a crash. This vulnerability was discovered on February 20, 2021, and was publicly disclosed on March 4, 2021. The issue is a re-occurrence of CVE-2019-15297 symptoms but with a different root cause (Vendor Advisory).

The vulnerability occurs when an attacker sends an m=image line and zero port in a response to a T.38 re-invite initiated by Asterisk. The crash happens because there is an append operation relative to the active topology, when it should instead be a replace operation. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, and is classified as a NULL Pointer Dereference (CWE-476) (NVD).

When successfully exploited, this vulnerability results in a crash of the Asterisk system, leading to a denial of service condition. The impact is limited to availability, with no direct effect on confidentiality or integrity of the system (Vendor Advisory).

If T.38 faxing is not required, the vulnerability can be mitigated by setting 't38_udptl' on the endpoint to 'no' (which is the default setting). For systems requiring T.38 faxing, upgrading to the fixed versions (Asterisk Open Source 16.16.2, 17.9.3, 18.2.2, or Certified Asterisk 16.8-cert7) is recommended (Vendor Advisory).