← Back

CVE-2023-49786

nvd nist
Published: Dec 14, 2023Modified: Nov 21, 2024

JSON object

Loading...
5.9
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Exploitability: 2.2 / Impact: 3.6
Source: NVD

Description

Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1; as well as certified-asterisk prior to 18.9-cert6; Asterisk is susceptible to a DoS due to a race condition in the hello handshake phase of the DTLS protocol when handling DTLS-SRTP for media setup. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable Asterisk servers for calls that rely on DTLS-SRTP. Commit d7d7764cb07c8a1872804321302ef93bf62cba05 contains a fix, which is part of versions 18.20.1, 20.5.1, 21.0.1, amd 18.9-cert6.

Affected (31)

Digium
1 product
Asterisk
Sangoma
1 product
Certified Asterisk
Configuration A
31 vulnerable
Vulnerable SoftwareAffected Versions
Digium
Asterisk
Before 18.20.1
Asterisk
From 19.0.0 to 20.5.1
Asterisk
Version 21.0.0
Sangoma
Certified Asterisk
Version 13.13.0
Certified Asterisk
Version 13.13.0 cert1-rc1
Certified Asterisk
Version 13.13.0 cert1-rc2
Certified Asterisk
Version 13.13.0 cert1-rc3
Certified Asterisk
Version 13.13.0 cert1-rc4
Certified Asterisk
Version 13.13.0 cert1
Certified Asterisk
Version 13.13.0 cert2
Certified Asterisk
Version 13.13.0 cert3
Certified Asterisk
Version 13.13.0 rc1
Certified Asterisk
Version 13.13.0 rc2
Certified Asterisk
Version 16.8.0
Certified Asterisk
Version 16.8.0 cert10
Certified Asterisk
Version 16.8.0 cert11
Certified Asterisk
Version 16.8.0 cert12
Certified Asterisk
Version 16.8.0 cert1
Certified Asterisk
Version 16.8.0 cert2
Certified Asterisk
Version 16.8.0 cert3
Certified Asterisk
Version 16.8.0 cert4
Certified Asterisk
Version 16.8.0 cert5
Certified Asterisk
Version 16.8.0 cert6
Certified Asterisk
Version 16.8.0 cert7
Certified Asterisk
Version 16.8.0 cert8
Certified Asterisk
Version 16.8.0 cert9
Certified Asterisk
Version 18.9 cert1
Certified Asterisk
Version 18.9 cert2
Certified Asterisk
Version 18.9 cert3
Certified Asterisk
Version 18.9 cert4
Certified Asterisk
Version 18.9 cert5

Related CWEs

CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.
CWE-703
Improper Check or Handling of Exceptional Conditions
The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.

References (14)

Source: security-advisories@github.com
ExploitThird Party AdvisoryVDB Entry
Source: security-advisories@github.com
ExploitMailing ListThird Party Advisory
Source: security-advisories@github.com
ExploitMailing List
Source: security-advisories@github.com
Exploit
Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
ExploitVendor Advisory
Source: security-advisories@github.com
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitMailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitMailing List
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.