CVE-2008-1897 — Improper Authentication in Asterisk

CWE-287 — Improper Authentication6 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

3.0%

top 13.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Asterisk Appliance Developer KIT Debian Asterisk Asterisk Business Edition +3 more

Timeline

PublishedApr 23

Latest updateMay 1

Description

The IAX2 channel driver (chan_iax2) in Asterisk Open Source 1.0.x, 1.2.x before 1.2.28, and 1.4.x before 1.4.19.1; Business Edition A.x.x, B.x.x before B.2.5.2, and C.x.x before C.1.8.1; AsteriskNOW before 1.0.3; Appliance Developer Kit 0.x.x; and s800i before 1.1.0.3, when configured to allow unauthenticated calls, does not verify that an ACK response contains a call number matching the server's reply to a NEW message, which allows remote attackers to cause a denial of service (traffic amplific…

CVSS vector

AV:N/AC:M/C:N/I:N/A:PExploitability: 8.6 | Impact: 2.9

Affected Packages7 packages

▶Debianasterisk/asterisk_appliance_developer_kit< 1:1.4.19.1~dfsg-1

▶NVDasterisk/open_source1.2.27+65

▶NVDasterisk/asterisk_business_editionb.2.5.1+16

▶NVDasterisk/asterisk_appliance_developer_kit8 versions+7

▶NVDasterisk/s800i1.1.0.2+7

🔴Vulnerability Details

GHSA

GHSA-653q-fj3p-cqrg: The IAX2 channel driver (chan_iax2) in Asterisk Open Source 1↗2022-05-01

▶

OSV

CVE-2008-1897: The IAX2 channel driver (chan_iax2) in Asterisk Open Source 1↗2008-04-23

▶

📋Vendor Advisories

Red Hat

asterisk: 3-way handshake in IAX2 incomplete (CVE-2008-1923)↗2008-04-22

▶

Debian

CVE-2008-1897: asterisk - The IAX2 channel driver (chan_iax2) in Asterisk Open Source 1.0.x, 1.2.x before ...↗2008

▶

💬Community

Bugzilla

CVE-2008-1897 asterisk: 3-way handshake in IAX2 incomplete (CVE-2008-1923)↗2008-04-23

▶