CVE-2024-42491: 
NixOS vulnerability analysis and mitigation

CVE-2024-42491 affects Asterisk, an open-source private branch exchange (PBX) system. The vulnerability was discovered and disclosed in September 2024, affecting versions prior to 18.24.3, 20.9.3, and 21.4.3 of Asterisk and versions prior to 18.9-cert12 and 20.7-cert2 of certified-asterisk. The issue occurs when Asterisk attempts to send a SIP request to a URI whose host portion starts with .1 or [.1], and res_resolver_unbound is loaded, causing Asterisk to crash with a SEGV (GitHub Advisory).

The vulnerability stems from a NULL pointer dereference in the unbound_resolver_callback function. When libunbound passes a NULL ub_result pointer for malformed queries like .1 or [.1], the system crashes with a segmentation fault. The issue is related to both CWE-252 (Unchecked Return Value) and CWE-476 (NULL Pointer Dereference). The vulnerability has been assigned a CVSS v3.1 base score of 5.7 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H (GitHub Advisory).

The vulnerability can lead to a denial of service through system crash when processing certain SIP requests. The impact is particularly significant when the incoming endpoint's rewrite_contact parameter is set to false and Asterisk attempts to send a request back using a malformed URI. While unauthenticated clients can only trigger the crash if anonymous calling is allowed (which is rare), authorized users could potentially exploit this through malformed dialstrings or AMI/ARI operations (GitHub Advisory).

Two workarounds are available: 1) Disable res_resolver_unbound by setting noload = res_resolver_unbound.so in modules.conf, or 2) Set rewrite_contact = yes on all PJSIP endpoints, though this may not be appropriate for all configurations. For a permanent fix, users should upgrade to versions 18.24.3, 20.9.3, 21.4.3, certified-18.9-cert12, or certified-20.7-cert2 (GitHub Advisory).