Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
NA

CVE-2023-49786

Published: 14/12/2023 Updated: 29/12/2023
CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2
VMScore: 0
Subscribe to Sangoma

Vulnerability Summary

Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1; as well as certified-asterisk before 18.9-cert6; Asterisk is susceptible to a DoS due to a race condition in the hello handshake phase of the DTLS protocol when handling DTLS-SRTP for media setup. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable Asterisk servers for calls that rely on DTLS-SRTP. Commit d7d7764cb07c8a1872804321302ef93bf62cba05 contains a fix, which is part of versions 18.20.1, 20.5.1, 21.0.1, amd 18.9-cert6.

Vulnerable Product Search on Vulmon Subscribe to Product

sangoma certified asterisk 18.9

sangoma certified asterisk 13.13.0

sangoma certified asterisk 16.8.0

digium asterisk 21.0.0

digium asterisk

Vendor Advisories

Debian CVElist Bug Report Logs: asterisk: CVE-2023-49294
Debian Bug report logs - #1059032 asterisk: CVE-2023-49294 Package: src:asterisk; Maintainer for src:asterisk is Debian VoIP Team <pkg-voip-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 19 Dec 2023 15:27:02 UTC Severity: important Tags: security, upstream Foun ...
Debian CVElist Bug Report Logs: asterisk: CVE-2023-49786
Debian Bug report logs - #1059033 asterisk: CVE-2023-49786 Package: src:asterisk; Maintainer for src:asterisk is Debian VoIP Team <pkg-voip-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 19 Dec 2023 15:33:01 UTC Severity: grave Tags: security, upstream Found in ...

Exploits

Exploit DB: Asterisk 20.1.0 Denial Of Service
When handling DTLS-SRTP for media setup, Asterisk version 2010 is susceptible to denial of service due to a race condition in the hello handshake phase of the DTLS protocol This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack ...

Mailing Lists

Full Disclosure: [ES2023-01] Asterisk susceptible to Denial of Service via DTLS Hello packets during call initiation
<!--X-Body-Begin--> <!--X-User-Header--> Full Disclosure mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> [ES2023-01] Asterisk susceptible to Denial of Service via DTLS Hello packets during call initiation <!--X-Subject-Head ...

References

CWE-362https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pqhttps://github.com/asterisk/asterisk/commit/d7d7764cb07c8a1872804321302ef93bf62cba05https://github.com/EnableSecurity/advisories/tree/master/ES2023-01-asterisk-dtls-hello-racehttp://www.openwall.com/lists/oss-security/2023/12/15/7http://packetstormsecurity.com/files/176251/Asterisk-20.1.0-Denial-Of-Service.htmlhttp://seclists.org/fulldisclosure/2023/Dec/24https://lists.debian.org/debian-lts-announce/2023/12/msg00019.htmlhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059032https://nvd.nist.gov
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2006-4304CVE-2024-4240arbitrary CVE-2024-31601XSSCVE-2023-20198CVE-2024-4256CVE-2024-3342encryption
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook