cbcvebase.
CVE-2020-28242
published 2020-11-06

CVE-2020-28242: An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1 and Certified Asterisk…

PriorityP335medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
1.54%
71.8th percentile
An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1 and Certified Asterisk before 16.8-cert5. If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate (even if the call is hung up), ultimately leading to a restart or shutdown of Asterisk. Outbound authentication must be configured on the endpoint for this to occur.

Affected

9 ranges
VendorProductVersion rangeFixed in
asteriskcertified_asterisk<= 16.8.0
debianasterisk< asterisk 1:16.15.0~dfsg-1 (bullseye)asterisk 1:16.15.0~dfsg-1 (bullseye)
debiandebian_linux
fedoraprojectfedora
sangomaasterisk>= 0 < 1:16.15.0~dfsg-11:16.15.0~dfsg-1
sangomaasterisk>= 13.0 < 13.37.113.37.1
sangomaasterisk>= 16.0 < 16.14.116.14.1
sangomaasterisk>= 17.0 < 17.8.117.8.1
sangomaasterisk>= 18.0 < 18.0.118.0.1

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:N/A:P
osv6.5MEDIUM
vendor_debian6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.