CVE-2025-57767 Overview
CVE-2025-57767 is a Null Pointer Dereference vulnerability in Sangoma Asterisk, an open source private branch exchange (PBX) and telephony toolkit. The vulnerability exists in the res_pjsip_authenticator_digest module and can be triggered by sending specially crafted SIP requests with malformed Authorization headers. When exploited, this vulnerability causes a segmentation fault (SEGV), resulting in a denial of service condition that crashes the Asterisk server.
Critical Impact
Unauthenticated remote attackers can crash Asterisk PBX servers by sending malformed SIP requests with invalid Authorization headers, disrupting VoIP communications for affected organizations.
Affected Products
- Sangoma Asterisk versions prior to 20.15.2
- Sangoma Asterisk versions prior to 21.10.2
- Sangoma Asterisk versions prior to 22.5.2
Discovery Timeline
- 2025-08-28 - CVE-2025-57767 published to NVD
- 2025-10-20 - Last updated in NVD database
Technical Details for CVE-2025-57767
Vulnerability Analysis
The vulnerability resides in the get_authorization_header() function within res/res_pjsip_authenticator_digest.c. When processing incoming SIP requests, the Asterisk server parses Authorization headers to validate credentials during digest authentication. The flaw occurs when a SIP request arrives with an Authorization header containing a realm that was not present in a previous 401 response's WWW-Authenticate header, or when an Authorization header with an incorrect realm is received without any prior 401 challenge being sent.
In these scenarios, the get_authorization_header() function returns NULL. The vulnerable code path failed to check for this NULL return value before attempting to access the digest algorithm from the header structure, directly dereferencing the NULL pointer. This NULL pointer dereference triggers a segmentation fault, causing the Asterisk process to crash immediately.
Root Cause
The root cause is a missing NULL pointer check (CWE-253: Incorrect Check of Function Return Value) in the authentication handling logic. The code assumed that get_authorization_header() would always return a valid pointer to an authorization header structure, without accounting for edge cases where clients send malformed or unexpected authentication data. This is a classic case of improper error handling where the return value of a function that can fail was not validated before use.
Attack Vector
An attacker can exploit this vulnerability remotely over the network without requiring any authentication. The attack involves sending SIP requests (such as INVITE, REGISTER, or OPTIONS) directly to an exposed Asterisk server with a crafted Authorization header. The attacker can include a realm value that was never issued by the server in a previous 401 challenge, or send an unsolicited Authorization header without having received any authentication challenge. Since SIP services are commonly exposed to the internet for VoIP communications, this significantly expands the attack surface.
// Security patch from res/res_pjsip_authenticator_digest.c
// Source: https://github.com/asterisk/asterisk/commit/02993717b08f899d4aca9888062f35dfb198584f
const char *creds;
const char *auth_name = (auth ? ast_sorcery_object_get_id(auth) : "none");
struct pjsip_authorization_hdr *auth_hdr = get_authorization_hdr(auth_name, realm, param->rdata);
- const pjsip_auth_algorithm *algorithm =
- ast_sip_auth_get_algorithm_by_iana_name(&auth_hdr->credential.digest.algorithm);
+ const pjsip_auth_algorithm *algorithm = auth_hdr ?
+ ast_sip_auth_get_algorithm_by_iana_name(&auth_hdr->credential.digest.algorithm) : NULL;
const char *src_name = param->rdata->pkt_info.src_name;
SCOPE_ENTER(4, "%s:%s:"
" srv realm: " PJSTR_PRINTF_SPEC
" auth realm: %s"
- " hdr realm: " PJSTR_PRINTF_SPEC
" auth user: %s"
" hdr user: " PJSTR_PRINTF_SPEC
- " algorithm: " PJSTR_PRINTF_SPEC
"\n",
auth_name, src_name,
PJSTR_PRINTF_VAR(param->realm),
realm,
- PJSTR_PRINTF_VAR(auth_hdr->credential.common.realm),
auth->auth_user,
- PJSTR_PRINTF_VAR(param->acc_name),
- PJSTR_PRINTF_VAR(algorithm->iana_name));
+ PJSTR_PRINTF_VAR(param->acc_name));
+
+ /*
+ * If a client is responding correctly, most of the error conditions below
+ * can't happen because we sent them the correct info in the 401 response.
+ * However, if a client is trying to authenticate with us without
+ * having received a challenge or if they are trying to
The patch adds a conditional NULL check for auth_hdr before attempting to access its credential.digest.algorithm member, preventing the NULL pointer dereference.
Detection Methods for CVE-2025-57767
Indicators of Compromise
- Unexpected Asterisk process crashes or service restarts
- Core dump files in /var/lib/asterisk/ or system crash directories with SEGV signals
- SIP traffic containing Authorization headers with unusual or mismatched realm values
- Sudden loss of VoIP service availability without corresponding system resource exhaustion
Detection Strategies
- Monitor Asterisk log files for segmentation fault errors and unexpected daemon terminations
- Implement SIP-aware intrusion detection rules to flag Authorization headers sent without a preceding 401 challenge
- Configure process monitoring to alert on Asterisk crashes with automatic restart detection
- Analyze SIP traffic for Authorization headers containing realm values that don't match your configured authentication realms
Monitoring Recommendations
- Deploy network-based monitoring on SIP ports (5060/UDP, 5061/TCP for TLS) to capture suspicious authentication attempts
- Configure systemd or process monitoring tools to track Asterisk service uptime and crash frequency
- Enable detailed SIP debugging logs during incident investigation to capture malformed request patterns
- Set up alerting for rapid sequences of Asterisk restarts which may indicate active exploitation
How to Mitigate CVE-2025-57767
Immediate Actions Required
- Upgrade Asterisk to patched versions 20.15.2, 21.10.2, or 22.5.2 immediately
- Review firewall rules to restrict SIP access to trusted IP addresses and networks only
- Implement SIP-aware firewall or session border controller (SBC) to filter malformed SIP messages
- Consider temporarily disabling digest authentication if alternative authentication mechanisms are available
Patch Information
Sangoma has released security patches addressing this vulnerability. Apply the appropriate patch based on your Asterisk version branch:
- Version 20.x: Upgrade to 20.15.2 or later
- Version 21.x: Upgrade to 21.10.2 or later
- Version 22.x: Upgrade to 22.5.2 or later
The fix is tracked in GitHub Pull Request #1407 with the specific commit available at 02993717b08f899d4aca9888062f35dfb198584f. For complete details, refer to the GitHub Security Advisory GHSA-64qc-9x89-rx5j.
Workarounds
- No workarounds are available for this vulnerability according to the vendor advisory
- The only effective mitigation is upgrading to a patched version
- Network-level controls such as firewalls and SBCs can reduce exposure but do not address the underlying vulnerability
# Verify current Asterisk version
asterisk -V
# Check running version from CLI
asterisk -rx "core show version"
# Example upgrade on Debian/Ubuntu systems
apt-get update && apt-get upgrade asterisk
# Restart Asterisk after upgrade
systemctl restart asterisk
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
