CVE-2020-28327 — Improper Resource Shutdown or Release in Asterisk

CWE-404 — Improper Resource Shutdown or Release4 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

2.8%

top 13.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sangoma Asterisk Debian Asterisk Digium Certified Asterisk

Timeline

PublishedNov 6

Latest updateMay 24

Description

A res_pjsip_session crash was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1. and Certified Asterisk before 16.8-cert5. Upon receiving a new SIP Invite, Asterisk did not return the created dialog locked or referenced. This caused a gap between the creation of the dialog object, and its next use by the thread that created it. Depending on some off-nominal circumstances and timing, it was possible for another thread to free s…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.6 | Impact: 3.6

Affected Packages4 packages

▶NVDdigium/certified_asterisk16.8

▶debiandebian/asterisk< asterisk 1:16.15.0~dfsg-1 (bullseye)

▶NVDsangoma/asterisk13.0.0 — 13.37.1+3

▶Debiansangoma/asterisk< 1:16.15.0~dfsg-1

Patches

Patch: downloads.asterisk.org ↗Patch: downloads.asterisk.org ↗

🔴Vulnerability Details

GHSA

GHSA-ggx6-v629-c48v: A res_pjsip_session crash was discovered in Asterisk Open Source 13↗2022-05-24

▶

OSV

CVE-2020-28327: A res_pjsip_session crash was discovered in Asterisk Open Source 13↗2020-11-06

▶

📋Vendor Advisories

Debian

CVE-2020-28327: asterisk - A res_pjsip_session crash was discovered in Asterisk Open Source 13.x before 13....↗2020

▶