CVE-2008-1923Improper Authentication in Asterisk

CWE-16CWE-287Improper Authentication10 documents6 sources
Severity
7.1HIGHNVD
NVD4.3OSV4.3
EPSS
1.5%
top 18.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Asterisk Appliance Developer KITAsterisk Business EditionDebian Asterisk+3 more
Timeline
PublishedApr 23
Latest updateMay 1

Description

The IAX2 channel driver (chan_iax2) in Asterisk 1.2 before revision 72630 and 1.4 before revision 65679, when configured to allow unauthenticated calls, sends "early audio" to an unverified source IP address of a NEW message, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed NEW message.

CVSS vector

AV:N/AC:M/C:N/I:N/A:CExploitability: 8.6 | Impact: 6.9

Affected Packages8 packages

NVDasterisk/open_source1.2.27+77
debiandebian/asterisk< asterisk 1:1.4.19.1~dfsg-1 (bullseye)
Debianasterisk/asterisk_business_edition< 1:1.4.19.1~dfsg-1
Debianasterisk/asterisk_appliance_developer_kit< 1:1.4.19.1~dfsg-1
NVDasterisk/s800i1.1.0.2+7

🔴Vulnerability Details

4
GHSA
GHSA-653q-fj3p-cqrg: The IAX2 channel driver (chan_iax2) in Asterisk Open Source 12022-05-01
GHSA
GHSA-3p74-pwfx-pcgr: The IAX2 channel driver (chan_iax2) in Asterisk 12022-05-01
OSV
CVE-2008-1923: The IAX2 channel driver (chan_iax2) in Asterisk 12008-04-23
OSV
CVE-2008-1897: The IAX2 channel driver (chan_iax2) in Asterisk Open Source 12008-04-23

📋Vendor Advisories

3
Red Hat
asterisk: 3-way handshake in IAX2 incomplete (CVE-2008-1923)2008-04-22
Debian
CVE-2008-1923: asterisk - The IAX2 channel driver (chan_iax2) in Asterisk 1.2 before revision 72630 and 1....2008
Debian
CVE-2008-1897: asterisk - The IAX2 channel driver (chan_iax2) in Asterisk Open Source 1.0.x, 1.2.x before ...2008

💬Community

1
Bugzilla
CVE-2008-1897 asterisk: 3-way handshake in IAX2 incomplete (CVE-2008-1923)2008-04-23
CVE-2008-1923 — Improper Authentication in Asterisk | cvebase