This vulnerability impacts several specific versions of Asterisk and Certified Asterisk: Versions prior to 18.24.3, 20.9.3, and 21.4.3.
At its core, CVE-2024-42491 is a critical flaw related to how Asterisk handles Session Initiation Protocol (SIP) requests. Specifically, if the res_resolver_unbound module is loaded and the system attempts to send a request to a URI with a host portion starting with .1 or [.1] , the system can suffer a segmentation fault (SEGV) and crash. The Technical "Why"
The system attempts to access a pointer that it expects to be valid but is actually NULL. 42491 rar
Versions prior to 18.9-cert12 and 20.7-cert2. How to Secure Your System
The vulnerability stems from two primary software weaknesses: The Technical "Why" The system attempts to access
Set noload = res_resolver_unbound.so in your modules.conf file.
Set rewrite_contact = yes on all PJSIP endpoints. Final Thoughts Set rewrite_contact = yes on all PJSIP endpoints
The software fails to verify the success of a function or method, leading it to proceed into an "unexpected state"—in this case, a total crash. Who Is Affected?