CVE-2023-37457: 
NixOS vulnerability analysis and mitigation

Asterisk, an open source private branch exchange and telephony toolkit, was found to contain a buffer overflow vulnerability (CVE-2023-37457) affecting versions 18.20.0 and prior, 20.5.0 and prior, and 21.0.0, as well as certified-asterisk 18.9-cert5 and prior. The vulnerability exists in the 'update' functionality of the PJSIP_HEADER dialplan function, which can exceed the available buffer space for storing new header values (GitHub Advisory).

The vulnerability is classified as a Buffer Copy without Checking Size of Input (Classic Buffer Overflow) vulnerability (CWE-120). When updating an existing header, the 'update' code incorrectly copied the new value into the existing buffer without checking size limitations. If the new value exceeded the available buffer size, memory outside of the buffer would be written into, potentially causing a crash. The vulnerability has received a CVSS v3.1 base score of 8.2 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H (NVD).

The vulnerability can lead to memory corruption or system crashes when exploited. However, the impact is limited as it is not externally exploitable unless the dialplan is explicitly written to update a header based on data from an outside source (GitHub Advisory).

A patch has been released that modifies the 'update' functionality to duplicate the new header value instead of copying it into the existing buffer. The fix is available in commit a1ca0268254374b515fa5992f01340f7717113fa. Additionally, Debian has released security updates to address this vulnerability in version 1:16.28.0~dfsg-0+deb10u4 (Debian Advisory, GitHub Patch).