CVE-2020-28242
published 2020-11-06CVE-2020-28242: An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1 and Certified Asterisk…
PriorityP335medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
1.54%
71.8th percentile
An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1 and Certified Asterisk before 16.8-cert5. If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate (even if the call is hung up), ultimately leading to a restart or shutdown of Asterisk. Outbound authentication must be configured on the endpoint for this to occur.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| asterisk | certified_asterisk | <= 16.8.0 | — |
| debian | asterisk | < asterisk 1:16.15.0~dfsg-1 (bullseye) | asterisk 1:16.15.0~dfsg-1 (bullseye) |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| sangoma | asterisk | >= 0 < 1:16.15.0~dfsg-1 | 1:16.15.0~dfsg-1 |
| sangoma | asterisk | >= 13.0 < 13.37.1 | 13.37.1 |
| sangoma | asterisk | >= 16.0 < 16.14.1 | 16.14.1 |
| sangoma | asterisk | >= 17.0 < 17.8.1 | 17.8.1 |
| sangoma | asterisk | >= 18.0 < 18.0.1 | 18.0.1 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:N/A:P
osv6.5MEDIUM
vendor_debian6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q5gr-h5mj-hp63: An issue was discovered in Asterisk Open Source 13
ghsa_unreviewed·2022-05-24
CVE-2020-28242 [MEDIUM] CWE-674 GHSA-q5gr-h5mj-hp63: An issue was discovered in Asterisk Open Source 13
An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1 and Certified Asterisk before 16.8-cert5. If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate (even if the call is hung up), ultimately leading to a restart or shutdown of Asterisk. Outbound authentication must be configured on the endpoint for this to occur.
OSV
CVE-2020-28242: An issue was discovered in Asterisk Open Source 13
osv·2020-11-06·CVSS 6.5
CVE-2020-28242 [MEDIUM] CVE-2020-28242: An issue was discovered in Asterisk Open Source 13
An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1 and Certified Asterisk before 16.8-cert5. If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate (even if the call is hung up), ultimately leading to a restart or shutdown of Asterisk. Outbound authentication must be configured on the endpoint for this to occur.
Debian
CVE-2020-28242: asterisk - An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before...
vendor_debian·2020·CVSS 6.5
CVE-2020-28242 [MEDIUM] CVE-2020-28242: asterisk - An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before...
An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1 and Certified Asterisk before 16.8-cert5. If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate (even if the call is hung up), ultimately leading to a restart or shutdown of Asterisk. Outbound authentication must be configured on the endpoint for this to occur.
Scope: local
bullseye: resolved (fixed in 1:16.15.0~dfsg-1)
sid: resolved (fixed in 1:16.15.0~dfsg-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://downloads.asterisk.org/pub/security/AST-2020-002.htmlhttps://lists.debian.org/debian-lts-announce/2022/04/msg00001.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QUS54QTQCYKR36EIULYD544GXDA644HB/http://downloads.asterisk.org/pub/security/AST-2020-002.htmlhttps://lists.debian.org/debian-lts-announce/2022/04/msg00001.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QUS54QTQCYKR36EIULYD544GXDA644HB/
2020-11-06
Published