CVE-2023-49786Improper Check or Handling of Exceptional Conditions in Asterisk

CWE-703Improper Check or Handling of Exceptional ConditionsCWE-362Race Condition5 documents4 sources
Severity
5.9MEDIUMNVD
EPSS
0.1%
top 73.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
AsteriskDigium AsteriskDebian Asterisk+1 more
Timeline
PublishedDec 14

Description

Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1; as well as certified-asterisk prior to 18.9-cert6; Asterisk is susceptible to a DoS due to a race condition in the hello handshake phase of the DTLS protocol when handling DTLS-SRTP for media setup. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. Abuse of this vulnerability may lead to a massive Denial of Service

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages5 packages

NVDsangoma/certified_asterisk13.13.0, 16.8.0, 18.9+2
NVDdigium/asterisk19.0.020.5.1+2
debiandebian/asterisk< asterisk 1:16.28.0~dfsg-0+deb11u4 (bullseye)
CVEListV5asterisk/asterisk< 18.20.1+3
Debianasterisk/asterisk< 1:16.28.0~dfsg-0+deb11u4

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
OSV
CVE-2023-49786: Asterisk is an open source private branch exchange and telephony toolkit2023-12-14

📋Vendor Advisories

1
Debian
CVE-2023-49786: asterisk - Asterisk is an open source private branch exchange and telephony toolkit. In Ast...2023

💬Community

2
Bugzilla
TRIAGE CVE-2023-49786 asterisk: race condition in the hello handshake phase of the DTLS protocol triggers denial of service [fedora-all]2023-12-14
Bugzilla
TRIAGE CVE-2023-49786 asterisk: race condition in the hello handshake phase of the DTLS protocol triggers denial of service [epel-all]2023-12-14
CVE-2023-49786 — Asterisk vulnerability | cvebase