CVE-2009-2346 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Asterisk

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-837 — Improper Enforcement of a Single, Unique Action7 documents7 sources

Severity

7.8HIGHNVD

EPSS

0.8%

top 25.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sangoma Asterisk Debian Asterisk Asterisk Appliance S800i +3 more

Timeline

PublishedSep 8

Latest updateMay 2

Description

The IAX2 protocol implementation in Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.2, 1.6.0.x before 1.6.0.15, and 1.6.1.x before 1.6.1.6; Business Edition B.x.x before B.2.5.10, C.2.x before C.2.4.3, and C.3.x before C.3.1.1; and s800i 1.3.x before 1.3.0.3 allows remote attackers to cause a denial of service (call-number exhaustion) by initiating many IAX2 message exchanges, a related issue to CVE-2008-3263.

CVSS vector

AV:N/AC:L/C:N/I:N/A:CExploitability: 10.0 | Impact: 6.9

Affected Packages7 packages

▶NVDasterisk/opensource5 versions+4

▶NVDasterisk/open_source87 versions+86

▶NVDasterisk/appliance_s800i1.3, 1.3.0.2+1

▶debiandebian/asterisk< asterisk 1:1.6.2.0~dfsg~beta3-1 (bullseye)

▶Debiansangoma/asterisk< 1:1.6.2.0~dfsg~beta3-1

🔴Vulnerability Details

GHSA

GHSA-qm3m-5rgr-2hq8: The IAX2 protocol implementation in Asterisk Open Source 1↗2022-05-02

▶

OSV

CVE-2009-2346: The IAX2 protocol implementation in Asterisk Open Source 1↗2009-09-08

▶

📋Vendor Advisories

Red Hat

asterisk: IAX2 DoS vulnerability (AST-2009-006)↗2009-09-03

▶

Debian

CVE-2009-2346: asterisk - The IAX2 protocol implementation in Asterisk Open Source 1.2.x before 1.2.35, 1....↗2009

▶

📐Framework References

CWE

Improper Enforcement of a Single, Unique Action↗

▶

💬Community

Bugzilla

CVE-2009-2346 asterisk: IAX2 DoS vulnerability (AST-2009-006)↗2009-09-04

▶