CVE-2008-1923
published 2008-04-23CVE-2008-1923: The IAX2 channel driver (chan_iax2) in Asterisk 1.2 before revision 72630 and 1.4 before revision 65679, when configured to allow unauthenticated calls, sends…
PriorityP423high7.1CVSS 2.0
AVNACMAuNCNINAC
EPSS
1.40%
69.1th percentile
The IAX2 channel driver (chan_iax2) in Asterisk 1.2 before revision 72630 and 1.4 before revision 65679, when configured to allow unauthenticated calls, sends "early audio" to an unverified source IP address of a NEW message, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed NEW message.
Affected
121 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| asterisk | asterisk_appliance_developer_kit | — | — |
| asterisk | asterisk_appliance_developer_kit | — | — |
| asterisk | asterisk_appliance_developer_kit | — | — |
| asterisk | asterisk_appliance_developer_kit | — | — |
| asterisk | asterisk_appliance_developer_kit | — | — |
| asterisk | asterisk_appliance_developer_kit | — | — |
| asterisk | asterisk_appliance_developer_kit | — | — |
| asterisk | asterisk_appliance_developer_kit | — | — |
| asterisk | asterisk_appliance_developer_kit | >= 0 < 1:1.4.19.1~dfsg-1 | 1:1.4.19.1~dfsg-1 |
| asterisk | asterisk_business_edition | <= b.2.5.1 | — |
| asterisk | asterisk_business_edition | <= c1.8.0 | — |
| asterisk | asterisk_business_edition | <= b2.5.1 | — |
| asterisk | asterisk_business_edition | — | — |
| asterisk | asterisk_business_edition | — | — |
| asterisk | asterisk_business_edition | — | — |
| asterisk | asterisk_business_edition | — | — |
| asterisk | asterisk_business_edition | — | — |
| asterisk | asterisk_business_edition | — | — |
| asterisk | asterisk_business_edition | — | — |
| asterisk | asterisk_business_edition | — | — |
| asterisk | asterisk_business_edition | — | — |
| asterisk | asterisk_business_edition | — | — |
| asterisk | asterisk_business_edition | — | — |
| asterisk | asterisk_business_edition | — | — |
| asterisk | asterisk_business_edition | — | — |
CVSS provenance
nvdv2.07.1HIGHAV:N/AC:M/Au:N/C:N/I:N/A:C
osv7.1HIGH
vendor_debian7.1MEDIUM
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
asterisk: 3-way handshake in IAX2 incomplete (CVE-2008-1923)
vendor_redhat·2008-04-22·CVSS 4.3
CVE-2008-1897 [MEDIUM] asterisk: 3-way handshake in IAX2 incomplete (CVE-2008-1923)
asterisk: 3-way handshake in IAX2 incomplete (CVE-2008-1923)
The IAX2 channel driver (chan_iax2) in Asterisk Open Source 1.0.x, 1.2.x before 1.2.28, and 1.4.x before 1.4.19.1; Business Edition A.x.x, B.x.x before B.2.5.2, and C.x.x before C.1.8.1; AsteriskNOW before 1.0.3; Appliance Developer Kit 0.x.x; and s800i before 1.1.0.3, when configured to allow unauthenticated calls, does not verify that an ACK response contains a call number matching the server's reply to a NEW message, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed ACK response that does not complete a 3-way handshake. NOTE: this issue exists because of an incomplete fix for CVE-2008-1923.
Debian
CVE-2008-1923: asterisk - The IAX2 channel driver (chan_iax2) in Asterisk 1.2 before revision 72630 and 1....
vendor_debian·2008·CVSS 7.1
CVE-2008-1923 [HIGH] CVE-2008-1923: asterisk - The IAX2 channel driver (chan_iax2) in Asterisk 1.2 before revision 72630 and 1....
The IAX2 channel driver (chan_iax2) in Asterisk 1.2 before revision 72630 and 1.4 before revision 65679, when configured to allow unauthenticated calls, sends "early audio" to an unverified source IP address of a NEW message, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed NEW message.
Scope: local
bullseye: resolved (fixed in 1:1.4.19.1~dfsg-1)
sid: resolved (fixed in 1:1.4.19.1~dfsg-1)
Debian
CVE-2008-1897: asterisk - The IAX2 channel driver (chan_iax2) in Asterisk Open Source 1.0.x, 1.2.x before ...
vendor_debian·2008·CVSS 4.3
CVE-2008-1897 [MEDIUM] CVE-2008-1897: asterisk - The IAX2 channel driver (chan_iax2) in Asterisk Open Source 1.0.x, 1.2.x before ...
The IAX2 channel driver (chan_iax2) in Asterisk Open Source 1.0.x, 1.2.x before 1.2.28, and 1.4.x before 1.4.19.1; Business Edition A.x.x, B.x.x before B.2.5.2, and C.x.x before C.1.8.1; AsteriskNOW before 1.0.3; Appliance Developer Kit 0.x.x; and s800i before 1.1.0.3, when configured to allow unauthenticated calls, does not verify that an ACK response contains a call number matching the server's reply to a NEW message, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed ACK response that does not complete a 3-way handshake. NOTE: this issue exists because of an incomplete fix for CVE-2008-1923.
Scope: local
bullseye: resolved (fixed in 1:1.4.19.1~dfsg-1)
sid: resolved (fixed in 1:1.4.19.1~dfsg-1)
GHSA
GHSA-653q-fj3p-cqrg: The IAX2 channel driver (chan_iax2) in Asterisk Open Source 1
ghsa_unreviewed·2022-05-01·CVSS 7.1
CVE-2008-1897 [HIGH] CWE-287 GHSA-653q-fj3p-cqrg: The IAX2 channel driver (chan_iax2) in Asterisk Open Source 1
The IAX2 channel driver (chan_iax2) in Asterisk Open Source 1.0.x, 1.2.x before 1.2.28, and 1.4.x before 1.4.19.1; Business Edition A.x.x, B.x.x before B.2.5.2, and C.x.x before C.1.8.1; AsteriskNOW before 1.0.3; Appliance Developer Kit 0.x.x; and s800i before 1.1.0.3, when configured to allow unauthenticated calls, does not verify that an ACK response contains a call number matching the server's reply to a NEW message, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed ACK response that does not complete a 3-way handshake. NOTE: this issue exists because of an incomplete fix for CVE-2008-1923.
GHSA
GHSA-3p74-pwfx-pcgr: The IAX2 channel driver (chan_iax2) in Asterisk 1
ghsa_unreviewed·2022-05-01
CVE-2008-1923 [HIGH] GHSA-3p74-pwfx-pcgr: The IAX2 channel driver (chan_iax2) in Asterisk 1
The IAX2 channel driver (chan_iax2) in Asterisk 1.2 before revision 72630 and 1.4 before revision 65679, when configured to allow unauthenticated calls, sends "early audio" to an unverified source IP address of a NEW message, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed NEW message.
OSV
CVE-2008-1923: The IAX2 channel driver (chan_iax2) in Asterisk 1
osv·2008-04-23·CVSS 7.1
CVE-2008-1923 [HIGH] CVE-2008-1923: The IAX2 channel driver (chan_iax2) in Asterisk 1
The IAX2 channel driver (chan_iax2) in Asterisk 1.2 before revision 72630 and 1.4 before revision 65679, when configured to allow unauthenticated calls, sends "early audio" to an unverified source IP address of a NEW message, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed NEW message.
OSV
CVE-2008-1897: The IAX2 channel driver (chan_iax2) in Asterisk Open Source 1
osv·2008-04-23·CVSS 4.3
CVE-2008-1897 [MEDIUM] CVE-2008-1897: The IAX2 channel driver (chan_iax2) in Asterisk Open Source 1
The IAX2 channel driver (chan_iax2) in Asterisk Open Source 1.0.x, 1.2.x before 1.2.28, and 1.4.x before 1.4.19.1; Business Edition A.x.x, B.x.x before B.2.5.2, and C.x.x before C.1.8.1; AsteriskNOW before 1.0.3; Appliance Developer Kit 0.x.x; and s800i before 1.1.0.3, when configured to allow unauthenticated calls, does not verify that an ACK response contains a call number matching the server's reply to a NEW message, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed ACK response that does not complete a 3-way handshake. NOTE: this issue exists because of an incomplete fix for CVE-2008-1923.
No detection rules found.
No public exploits indexed.
http://bugs.digium.com/view.php?id=10078http://downloads.digium.com/pub/security/AST-2008-006.htmlhttp://www.altsci.com/concepts/page.php?s=asteri&p=1https://exchange.xforce.ibmcloud.com/vulnerabilities/42049http://bugs.digium.com/view.php?id=10078http://downloads.digium.com/pub/security/AST-2008-006.htmlhttp://www.altsci.com/concepts/page.php?s=asteri&p=1https://exchange.xforce.ibmcloud.com/vulnerabilities/42049
2008-04-23
Published