CVE-2007-4103 — Missing Release of Resource after Effective Lifetime in Asterisk

CWE-772 — Missing Release of Resource after Effective Lifetime CWE-400 — Uncontrolled Resource Consumption6 documents5 sources

Severity

7.5HIGHNVD

EPSS

2.6%

top 14.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Digium Asterisk Digium Asterisk Appliance Developer KIT Debian Asterisk

Timeline

PublishedJul 31

Latest updateMay 1

Description

The IAX2 channel driver (chan_iax2) in Asterisk Open 1.2.x before 1.2.23, 1.4.x before 1.4.9, and Asterisk Appliance Developer Kit before 0.6.0, when configured to allow unauthenticated calls, allows remote attackers to cause a denial of service (resource exhaustion) via a flood of calls that do not complete a 3-way handshake, which causes an ast_channel to be allocated but not released.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDdigium/asterisk_appliance_developer_kit< 0.6.0

▶NVDdigium/asterisk1.2.20 — 1.2.23+1

▶debiandebian/asterisk< asterisk 1:1.4.9~dfsg-1 (bullseye)

▶Debiandigium/asterisk< 1:1.4.9~dfsg-1

Patches

Patch: bugs.gentoo.org ↗Patch: ftp.digium.com ↗Patch: secunia.com ↗

🔴Vulnerability Details

GHSA

GHSA-9jqm-gvwx-9wxq: The IAX2 channel driver (chan_iax2) in Asterisk Open 1↗2022-05-01

▶

OSV

CVE-2007-4103: The IAX2 channel driver (chan_iax2) in Asterisk Open 1↗2007-07-31

▶

📋Vendor Advisories

Debian

CVE-2007-4103: asterisk - The IAX2 channel driver (chan_iax2) in Asterisk Open 1.2.x before 1.2.23, 1.4.x ...↗2007

▶

📐Framework References

CWE

Uncontrolled Resource Consumption↗

▶

CWE

Missing Release of Resource after Effective Lifetime↗

▶